If you are collecting, storing or transmitting PHI (Protected Health Information) to a covered entity then you definitely should be HIPAA compliant.
HIPAA isn’t like the The Digital Millennial Copyright Act (DMCA) - there is no safe harbor clause for unintended transmission, storage or disclosure of PHI. Regardless of how you planned it, scoped it, envisioned it or dissuaded users from including it—if PHI is in your app or on your servers you could face HIPAA fines if you’re not in compliance.
The official way to determine whether you qualify as a healthcare provider is to determine if your company fits the CFR 45 § 160.103 definition of health care provider. An attorney can verify whether this is the case for your business.
The short answer is no. HIPAA hosting alone does not make you HIPAA compliant.
In order to meet HIPAA compliance requirements for software development you need to ensure you’re meeting the four main requirements of the HIPAA law.
HIPAA violations are expensive. The penalties for noncompliance are based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. Violations can also carry criminal charges that can result in jail time.
The short answer is no.
Unlike PCI, there is no one that can “certify” that an organization is HIPAA compliant. The Office for Civil Rights (OCR) from the Department of Health and Human Services (HHS) is the federal governing body that determines compliance. HHS does not endorse or recognize the “certifications” made by private organizations.
The U.S. Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to enforce HIPAA requirements. The Privacy Rule addresses the use and disclosure of the health information for individuals by covered entities subject to the Rule. It also creates a standard for individual privacy rights to control and understand how their health information is used.
When building a HIPAA compliant application, your non-technical team should worry about HIPAA’s administrative requirements. Developers should focus on the physical and technical aspects of the HIPAA Security Rule.
Here is a link to the combined text of HIPAA, the federal law that outlines the requirements for the management, storage, and transmission of protected health information (PHI) in both physical and digital form:
However, that’s a lot of legalese. To help clarify, we’ve created a checklist that summarizes the basics:
The administrative components are really important when implementing a HIPAA compliance program;
you are required to:
The Physical Safeguards really have to do with who has access to PHI data and how that access is managed. Much of the Physical Safeguard requirements that developers need to worry about are handled by HIPAA compliant hosting companies (such as AWS, Firehost and Rackspace).
Other parts of the Physical Safeguards are handled by your internal rules around who can and can’t access PHI.
Technical safeguards outline what your application must do while handling PHI.
While there are both required and addressable elements to these safeguards you should implement them all. Addressable elements (such as automatic logoff) are really just software development best practices.
HIPAA, the Health Insurance Portability and Accountability Act, is a federal law that was passed in 1996 and updated in 2013 with the Final Omnibus Rule Update. Among other things, HIPAA outlines the requirements for the management, storage, and transmission of protected health information (PHI) in both physical and digital form. And while the original legislation pre-dates the rise of the commercial Internet (and the iPhone by a decade), its rules govern the use of this special type of personal data by applications on the web and mobile devices.
PHI is any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed in the course of providing a health care service, such as a diagnosis or treatment.
Simply put, a Business Associate is a vendor or subcontractor who has access to PHI (Protected Health Information).
A more legalese definition of a Business Associate is any entity that uses or discloses PHI on behalf of a Covered Entity. Furthermore, a Business Associate is any person who, on behalf of a Covered Entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
A covered entity is anyone who provides treatment, payment and operations in healthcare.
In September of 2013, the Final Omnibus Rule Update was passed that amended HIPAA and greatly expanded the definition of who needed to be HIPAA compliant.
Previously, only covered entities (such as doctors, hospitals, and insurers) were required to be HIPAA compliant. With the recent rule change however, all entities that store, manage, record or pass Protected Health Information (PHI) to and from covered entities are also required to be HIPAA compliant. These entities, called Business Associates, who were previously exempt from HIPAA, now fall under its governance.
The test is pretty simple: if your device or application currently shares or will share the user’s personal health data held in the app or device with a covered entity such as a doctor then you are dealing with protected health information and need HIPAA compliance software.
The General Data Protection Regulation is an extensive new law regulating the collection and use of personal data of individuals in the European Union, which comes into effect on 25 May 2018. GDPR replaces the Data Protection Directive of 1995, which was the EU’s first legal framework covering data security. In the 20 years since then, the explosion in the use of computers and the internet has contributed to a huge rise in the collection and processing of personal data. Unfortunately, this has also increased the potential for data theft and misuse. GDPR is therefore an attempt to deal with these threats, and update the law for the modern world
If you are covered by GDPR, then not only will your customers expect you to be compliant, but your business partners may require it as a condition of their contracts. Moreover, the fines for breaching the Regulation are harsh, going up to €20,000,000 or 4% of your global turnover (whichever is higher).
One of the biggest changes made by GDPR compared to the previous regime is the threat of potentially huge fines for breaches, going up to €20,000,000 or 4% of your global turnover, whichever is higher.
In Article 6, it is specified that processing (including collection) is only lawful if one of the following lawful grounds applies:
GDPR has relatively strict requirements to establish that sufficient consent has been given (in Article 7). The seven principles are:
The Regulation sets out a number of principles governing the collection and use of personal data, following the overall philosophy of “data protection by design and by default”.
GDPR regulates the processing of personal data. One of the ways it does this is by restating and increasing the rights of data subjects, including the rights to access their data, to have it amended or deleted, and to have processing halted.
Data breaches include any access to, or destruction, loss, alteration or disclosure of personal data which is accidental, unauthorized or otherwise unlawful. In these cases, there are two main duties: Notify the authorities and notify the data subjects.
GDPR regulates the processing of personal data by imposing obligations on two types of organizations - data controllers and data processors. Data controllers set the agenda for processing, while data processors act on the instructions of data controllers. As well as regulating the activities of each of them (as detailed throughout this series), the Regulation also sets requirements for the relationship between them (in Article 28), including what the processing contract must contain.
GDPR is meant to be a complete code for dealing with personal data. As a result, it’s a long document filled with numerous requirements. As such, there are a lot of disconnected regulations that are designed to protect personal data. This resource is an explanation of the key principles we have yet to cover.