How We Ensure HIPAA Compliance Of Your Website
The Health Insurance Portability and Accountability Act is an official document that protects private health information. This is a document that should be well-known to every medical professional that runs their business online. At MobiDev, we have comprehensive experience of software development for healthcare, where HIPAA compliant software is essential.
What are the minimal requirements that make your website HIPAA compliant?
Any ePHI (electronic Protected Health Information) must be encrypted before being transmitted.
ePHI can be backed up for recovery and restoration in case of need.
ePHI can be accessed only by authorized staff.
ePHI must not be subject to unsanctioned changes.
Stored ePHI should be encrypted.
When ePHI is no longer needed, it can be safely and permanently disposed of.
The final key to a HIPAA compliant website: ePHI should be hosted on servers of a company with whom a Business Associate Agreement is signed. Otherwise, it should be hosted on secure in-house servers.
Does a generic website meet the HIPAA requirements?
1. Transport Encryption
No. Data is not encrypted before or during transmissions.
Maybe. Most web hosts provide backup and restoration features.
Maybe. Depends on the features of your medical website.
No. There is no guarantee that data has not been modified.
5. Storage Encryption
No. Stored data is not encrypted.
Maybe. Depends on the website. Some web hosting providers store backups indefinitely.
7. Business Associate Agreement
No. Most web hosting providers do not know what HIPAA is, and will not be willing to run any risks signing this agreement, which might contradict their own business processes.
As you can see, if a medical website has never been built with security-related best practices or updated to meet specific HIPAA standards, it will fail at meeting these requirements. The same goes for HIPAA compliance for healthcare applications.
How to ensure HIPAA compliance in website design and development?
The means to making your medical website HIPAA compliant—or building one from scratch—depend on your goals and the way sensitive data is stored and transmitted. However, we can outline general thoughts on how we can ensure that these requirements will be met during website development:
HIPAA compliant software keeps sensitive health data encrypted during transmissions, and the first step is to make the website secure with SSL and HTTPS protocols. Your hosting provider should allow to configure SSL to use strong encryption methods. The former protects pages that collect or show health data as well as login pages. There should not be any alternate non-secure versions of these pages. What's more, if we have client-server data transmissions, i.e. data is transmitted in the body of POST requests, we can encrypt them on the sender's side and decrypt them on the receiver's side. This helps transmissions to be protected from man-in-the-middle attacks. Passwords can be transmitted and stored with the help of hash values. Together with secure complex passwords, this can prevent compromising. Therefore, the HIPAA requirement for security of user-website communication is met.
Most hosting providers provide backup and recovery services, so the data will not be lost in case of accident or emergency. If your website sends data elsewhere (e.g. via email), messages should be backed up, stored securely, and accessible to authorized staff only.
Authorization can be set up by our web team that builds or upgrades your medical website: audited access controls, secure logins that ensure that sensitive data can be accessed only by authorized personnel. If it can be accessed by the hosting provider, the issue of HIPAA Business Associate Agreement arises.
It is absolutely necessary to ensure that the information you collect, store, and transfer is safely kept from being damaged or altered in an undesired way, whether intentionally or unintentionally. The first necessary step here is to make sure that your system is able to immediately detect and report any unauthorized data tampering, even if just a single bit has changed. In website development, this is achieved by digitally signing and then verifying every piece of data stored or transmitted in the system, using such means as PGP, SSL, etc. Then the entire system has to be designed and built in a way that prevents any unauthorized access to the data.
The measures mentioned above, like regular backup, encryption, access authorization with proper user roles and privileges, as well as restriction of physical access to the infrastructure, come in great help to make your medical website HIPAA compliant. One step further can be taken by designing the software UI in a way that prevents input of invalid data or intelligently helps to detect and correct at least the most typical mistakes.
Dealing with sensitive PHI, you have to make sure that it is available to authorized eyes only. This covers all the data stored in the software system, including databases, backups, and even logs. It may happen to be stored in locations that are out of your control, such as on a server shared with other customers of the same hosting provider. Should this server be compromised in some way, the data must remain encrypted and inaccessible.
For this purpose we apply an industry approved encryption using AES and RSA algorithms with strong keys (preferably 256 bits for AES, and at least 4096 bits for RSA). We also use such encrypted databases as SQLCipher to store data on the backend safely.
Backed up and archived data has to expire and be permanently disposed of. The same concerns all the decryption keys. What's more, it must be foreseen that every location where the data is transmitted might be making backups or copying it. Whenever you no longer use a server, the data has to be disposed of as well.
Business Associate Agreement
Business Associate Agreement must concern every vendor that deals with your sensitive health data and HIPAA compliance. Your web hosting provider will follow the security requirements and provide an infrastructure that will be HIPAA compliant. Our job is to follow the same rules in website design and implementation of its functionality.
You will make a lot of decisions and face careful considerations on what is necessary and appropriate to protect sensitive data of your users and meet these requirements during creation of healthcare applications and websites. We are here to assist, consult, and apply software outsourcing for healthcare application development and website design.
You can also learn more about use of Bluetooth Low Energy in healthcare applications – yet another field of our expertise. And if you have any further questions about HIPAA compliant software product development, other specific services or project processes of MobiDev, feel free to ask!
Evolution of any software product goes along with evolution of the product owner's business. As the business evolves, so do its... more →
March 02, 2015
Medical Search Engine For Healthcare Professionals And Expert Consumers The MedNexus app was designed and developed as... more →
February 02, 2015
There are certain peculiarities that unite all apps related to the healthcare industry. These peculiarities define the... more →