Introduction
HIPAA, the Health Insurance Portability and Accountability Act, was passed in 1996, and among other things, outlines the requirements for the management of, storage and transmission of protected health information (PHI) in both physical and digital form. And while the original legislation pre-dates the rise of the commercial Internet (and the iPhone by a decade) its rules govern the use of this special type of personal data by applications on the web and mobile devices.
With any twenty year old piece of legislation that was written in a world without smartphones, tablets, and heck, even webmail, HIPAA is full of requirements that are confusing and challenging, particularly for software developers who have to make sense of them as they relate to their product and the underlying technologies that we all use on a regular basis to build and deliver applications to our customer bases.
2013 Final Omnibus Rule Update
In September of 2013, the Final Omnibus Rule Update was passed that amended HIPAA and greatly expanded the definition of who needed to be HIPAA compliant. Previously, only covered entities (such as doctors, hospitals, and insurers) were required to be HIPAA compliant. With the recent rule change however, all entities that store, manage, record or pass Protected Health Information (we'll just call it PHI from now on) to and from covered entities are also required to be HIPAA compliant. These entities, called Business Associates, who were previously exempt from HIPAA, now fall under its governance.
Why this guide?
As you can imagine, complying with federal regulations around privacy and healthcare data is no small task. That's why we've created this guide—to help you wade through what you need to know about HIPAA compliance as it relates to your application and what steps you'll need to take to ensure you don't end up in violation of the law.
There is plenty to read about HIPAA guidelines, and if you want you can spend a good chunk of the rest of the year reading up on all the details. Therefore, we're not going to rewrite everything here. This guide is not meant to be comprehensive, but rather give you a framework and reference to help you understand the major portions of the law that apply directly to the software you're developing for mobile, web and wearable applications.
Who is this guide for?
If you're a developer building a web, mobile or wearable software application that deals in the collection, storage, or transmission of personally identifiable health information to covered entities like doctors this is for you. You'll get the ins and outs of HIPAA compliance guidelines and the steps you'll want to take to ensure you're within those guidelines in the development, hosting, and communication with your users.
From a breakdown of the terms and requirements, to specific examples of HIPAA-covered activities, we've tried to give you what you need to understand the laws in plain language so that you can make the right decisions when developing your application.
Whether you decide that your application falls under HIPAA guidelines or not, this guide will give you the information you need to make that decision.
Build on our Work
This guide is the just the beginning. We hope you'll help us build it out further to make it the go-to source for information on HIPAA compliance and software development.
Questions/Feedback
You can drop us a line any time at hello@truevault.com. We'd love to hear from you.
Mandatory disclaimer
We're software developers just like you, but we've spent countless hours researching, studying and learning the ins and outs of HIPAA compliance. We've worked with industry experts and attorneys to understand the various portion of the law. In short, we think we have a solid handle on it.
However, we need to be clear — we're not lawyers and you should not take this as legal advice. If you need to make business decisions around HIPAA you'll probably sleep better at night knowing you paid a very expensive attorney to give their opinion on your specific question.
