HIPAA Security Rule for Software Developers

What is the HIPAA Security Rule?

The HIPAA Security Rule outlines national security standards intended to protect health data created, received, maintained, or transmitted electronically.

It basically says that any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.

There are three parts to the HIPAA Security Rule:

1. Administrative Safeguards
2. Technical Safeguards
3. Physical Safeguards

TrueVault meets or exceeds all HIPAA laws and requirements in the technical and physical safeguard categories. HIPAA hosting environments such as Amazon AWS or Firehost only cover physical safeguards, therefore potentially exposing you to HIPAA violations.

HIPAA Administrative Safeguards

The administrative components are really important when implementing a HIPAA compliance program. You are required to:

1. Assign a privacy officer
2. Complete a risk assessment annually
3. Implement employee training
4. Review policies and procedures
5. Execute Business Associate Agreements (BAAs) with all partners who handle protected health information (PHI)

Companies who can help with the administrative components of a HIPAA compliance program:

• Accountable
• Compliance Helper
• Compliancy Group

HIPAA Technical Safeguards

The technical safeguard requirements for HIPAA compliance are as follows. Be sure to see our note about the distinction between required and addressable safeguards below.

ePHI is electronic protected health information. Any time you're dealing with protected health information (PHI) you are governed by HIPAA laws.

• Unique User Identification (required): Assign a unique name and/or number for identifying and tracking user identity.
• Emergency Access Procedure (required): Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.
• Automatic Logoff (addressable): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
• Encryption and Decryption (addressable): Implement a mechanism to encrypt and decrypt ePHI.
• Audit Controls (required): Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
• Mechanism to Authenticate ePHI (addressable): Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
• Authentication (required): Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
• Integrity Controls (addressable): Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.
• Encryption (addressable): Implement a mechanism to encrypt ePHI whenever deemed appropriate.

Required vs. Addressable HIPAA Implementation Specifications

Many of the implementation specifications above in the the "HIPAA Security Rule Checklist" are listed as addressable. Specifications that are HIPAA requirements must be implemented. Addressable implementation specifications must be implemented if it is reasonable and appropriate to do so; the choice must be documented. It is important to remember that an

Most HIPAA hosting companies should implement the addressable specifications as they are best practice data security features any way.

HIPAA Physical Safeguards

The Physical Safeguards requirements for HIPAA compliance document the access control and validation of people getting to the servers where ePHI is stored. It also details the requirements for the emergency recovery requirements and re-use and disposal of media that holds ePHI.

Typically HIPAA hosting providers only cover these safeguards, not the technical safeguards. Therefore hosting your application in a HIPAA compliant environment is not enough to make your app itself HIPAA compliant and open you up to HIPAA violation, which can reach a maximum penalty of $50,000 per violation, with an annual maximum of $1.5 million.

Make your app HIPAA compliant today. You can be up and running in minutes, with no credit card and no trial expiration.

Skip the red tape of managing the physical safeguards yourself and head straight to developing amazing new solutions for the healthcare industry with TrueVault.