Should App Developers Get HIPAA Certified?
If you are a developer and you create apps, software, or other technologies that are connected to healthcare information, you are likely dealing with the question of HIPAA compliance and whether the laws around compliance apply to you and your app. One of the first things that probably come to mind is whether you need to get HIPAA certified.
It’s a reasonable question. Especially if you’ve built applications that use sensitive data like payment information, you’re used to the notion of required certifications. For example, online payment processors are required by law to be certified PCI compliant. If you’ve had to deal with PCI compliance, healthcare should have similar protections and certifications as well, right?
Unfortunately, it’s not that straightforward.
Who Certifies HIPAA Compliance? The short answer is no one. The Health Insurance Portability and Accessibility Act doesn’t require you or your company to obtain a third party certification by law, and there is no governing body that can officially certify your company as compliant.
That doesn’t mean you can’t get HIPAA certified, but rather any certification you get is optional, and offers no guarantee of compliance in the eyes of the U.S. Department of Health & Human Services (HHS), the governing entity that enforces HIPAA.
The law only requires that you are HIPAA compliant. It does not recognize third party certifications as any more reliable than a self-assessment that deems your company is compliant. Companies must ensure that they are compliant, but they can do the audits and assessments on their own, without the help or use of an outside entity.
Additionally, even with a third party certification, you and your company are still responsible for ensuring compliance. There is no safe harbor or protection from violations by having a third party certification.
While there is no legal obligation, you may want to consider becoming HIPAA certified anyway. The law requires HIPAA compliance when any personally identifiable medical information about a patient is handled by your application and shared with a Covered Entity (such as a doctors office.) The law refers to this information as Protected Health Information or PHI.
Doctors, nurses, and other professionals in the healthcare field have to be HIPAA certified and retrained regularly. And as of September 2013, all companies that work with Covered Entities, called Business Associates, must be HIPAA compliant as well. If you’re building an application that manages, stores, or shares PHI with covered entities you fall under HIPAA regulations.
The Benefits of HIPAA Certification
HIPAA was written nearly twenty years ago, and can be difficult to navigate due to it’s age, repeated updates, and wide regulatory reach. Figuring it out for yourself can be daunting. Getting certified as HIPAA compliant as a developer can help ensure you have the systems and processes in place to properly safeguard PHI and meet compliance standards outlined by the law. When you work with a compliance specialist you’ll have someone who knows the right questions to ask, what to look for, and understand how the law applies to your software application.
To ensure that any apps or software you develop are HIPAA compliant, completing a certification process will accomplish three things: 1. You will know the laws and regulations surrounding HIPAA compliance and how to best manage the PHI collected by your software. 2. You will have a knowledgeable person or entity asking the right questions and looking for potential violations you are unaware of. 3. Your certification may assist you in securing new partnerships with Covered Entities who will need to ensure your compliance before taking data from your application.
How do you become HIPAA certified?
There are a number of different programs and providers, but they all typically follow a similar process. Before you choose a provider however, ensure that they are reputable. If they promote any kind of message that the law requires certification, walk away. That’s a red flag.
Step One: Determining HIPAA Certification Level
As you do your research you’ll find that certification providers offer several different levels of HIPAA certification that focus on the different parts of the law and job functions that typically go into managing PHI. You’ll find certifications on privacy, security, HIPAA awareness, transaction, and becoming a HIPAA administrator for your company. (How to Get HIPAA Certification)
The first thing you need to do is determine what level you wish to obtain and which employees will be certified for which roles. This will depend purely on what you will be doing, how much data you will handle, and your role in developing the app or device.
As a developer the transaction and security certifications are typically most relevant as they are focused specifically on electronic data handling, medical application development and PHI encryption. Other team members may desire different certifications based on their role in the company.
Because the Final Omnibus Rule that was passed in September of 2013 is most relevant to you as a third party developer of applications who transact with covered entities, you’ll want to ensure that the compliance course has been updated to account for those rule changes.
Step Two: Completing HIPAA Training
The next step is completing the provider’s HIPAA training program. HIPAA awareness certification goes through the basic information about the law, while certifications for privacy and administrator levels are much more advanced. As mentioned above, the transaction and security certifications address the issues that come from electronic data handling.
You have a few different options for completing the training depending on the program you choose. Some programs offer self-paced online courses while others include classroom and seminar time. In some cases, certification centers will even allow you to offer a private course at your company, which is probably useful if you want to certify a large number of employees at once. Costs vary so you may want to shop around to see what options are available to you.
Step Four: The HIPAA Certification Test
After you have completed the training, most providers will require you to pass a certification test. If you choose the most basic of the HIPAA certifications you may not have to take an exam. However, any of the in-depth options will likely require passing a test with a minimum acceptable grade before being certified.
There are no specific government standards for the testing process, and that means the exam can vary widely from one training center to another and from one type of certification to another. Additionally, the actual titles of the certifications can be different from one program to the next. You’ll want to pay attention to the descriptions of the course to ensure you’re getting certified with the qualifications you’re looking for.
Step Five: Keeping Up to Date
Even after you’ve been HIPAA certified, you’ll want to keep up to date on changes to the law through the US Department of Health and Human Services website. HIPAA information is updated regularly, and it’s important you stay on top of any changes to ensure you remain in compliance.
Of course, you don’t have to go through the training at all and can get all the compliance information through the US Department of Health and Human Services website. You can even develop your own in-house training for employees. Documenting this program and process is essential should HHS audit you down the line.
In addition to the formal training, you may want to consider having other employees who aren’t directly involved in the handling of PHI to sign a HIPAA awareness form. This simply states that they know HIPAA exists and they know what it is about. This is a good way to create extra awareness around your company and ensure that there aren’t any accidental breaches of private data.
If you are building applications for the healthcare industry that will fall under HIPAA guidelines, the becoming HIPAA certified might be worthwhile. Of course, making your application HIPAA compliant in the first place can take considerable time and effort. That’s why TrueVault created the first HIPAA-compliant secure healthcare API for applications.
With TrueVault, any PHI resides within TrueVault’s HIPAA compliant environment and is transmitted securely via our RESTful API. That means as a developer you can spend more time on building your application and less time worrying about compliance and red tape.
However, whether you decide to seek a HIPAA certification or not, if you are developing healthcare apps that may collect, store or transmit protected health information, it’s critical that you comply with HIPAA guidelines. For more information, checkout our Developers Guide to HIPAA Compliance on GitHub.