Do I need to become HIPAA compliant?

If you are collecting, storing or transmitting PHI (Protected Health Information) to a covered entity then you definitely should be HIPAA compliant.

Read More

Does HIPAA have a safe harbor clause?

HIPAA isn’t like the The Digital Millennial Copyright Act (DMCA) - there is no safe harbor clause for unintended transmission, storage or disclosure of PHI. Regardless of how you planned it, scoped it, envisioned it or dissuaded users from including it—if PHI is in your app or on your servers you could face HIPAA fines if you’re not in compliance.

Read More

Does my business fall under HIPAA oversight?

The official way to determine whether you qualify as a healthcare provider is to determine if your company fits the CFR 45 § 160.103 definition of health care provider. An attorney can verify whether this is the case for your business.

Read More

Does using HIPAA hosting make my application HIPAA compliant?

The short answer is no. HIPAA hosting alone does not make you HIPAA compliant.

Read More

How do I become HIPAA compliant?

In order to meet HIPAA compliance requirements for software development you need to ensure you’re meeting the four main requirements of the HIPAA law.

  • HIPAA Privacy Rule
  • HIPAA Security Rule
  • HIPAA Enforcement Rule
  • HIPAA Breach Notification Rule
Read More

How much do HIPAA violations cost?

HIPAA violations are expensive. The penalties for noncompliance are based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. Violations can also carry criminal charges that can result in jail time.

Read More

Is there certification for HIPAA compliance?

The short answer is no.

Unlike PCI, there is no one that can “certify” that an organization is HIPAA compliant. The Office for Civil Rights (OCR) from the Department of Health and Human Services (HHS) is the federal governing body that determines compliance. HHS does not endorse or recognize the “certifications” made by private organizations.

Read More

What Is The HIPAA Privacy Rule?

The U.S. Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to enforce HIPAA requirements. The Privacy Rule addresses the use and disclosure of the health information for individuals by covered entities subject to the Rule. It also creates a standard for individual privacy rights to control and understand how their health information is used.

Read More

What are my options for developing a HIPAA compliant application?

When building a HIPAA compliant application, your non-technical team should worry about HIPAA’s administrative requirements. Developers should focus on the physical and technical aspects of the HIPAA Security Rule.

Read More

What are some good online resources for learning about regulatory compliance in health care?

Here is a link to the combined text of HIPAA, the federal law that outlines the requirements for the management, storage, and transmission of protected health information (PHI) in both physical and digital form:

However, that’s a lot of legalese. To help clarify, we’ve created a checklist that summarizes the basics:

Read More

What are the Administrative Safeguards of HIPAA?

The administrative components are really important when implementing a HIPAA compliance program;

you are required to:

  • Assign a privacy officer
  • Complete a risk assessment annually
  • Implement employee training
  • Review policies and procedures
  • Execute Business Associate Agreements (BAAs) with all partners who handle protected health information (PHI)
Read More

What are the Physical Safeguards of HIPAA?

The Physical Safeguards really have to do with who has access to PHI data and how that access is managed. Much of the Physical Safeguard requirements that developers need to worry about are handled by HIPAA compliant hosting companies (such as AWS, Firehost and Rackspace).

Other parts of the Physical Safeguards are handled by your internal rules around who can and can’t access PHI.

Read More

What are the Technical Safeguards of HIPAA?

Technical safeguards outline what your application must do while handling PHI.

While there are both required and addressable elements to these safeguards you should implement them all. Addressable elements (such as automatic logoff) are really just software development best practices.

Read More

What is HIPAA

HIPAA, the Health Insurance Portability and Accountability Act, is a federal law that was passed in 1996 and updated in 2013 with the Final Omnibus Rule Update. Among other things, HIPAA outlines the requirements for the management, storage, and transmission of protected health information (PHI) in both physical and digital form. And while the original legislation pre-dates the rise of the commercial Internet (and the iPhone by a decade), its rules govern the use of this special type of personal data by applications on the web and mobile devices.

Read More

What is Protected Health Information (PHI)? - TrueVault

PHI is any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed in the course of providing a health care service, such as a diagnosis or treatment.

Read More

What is a Business Associate?

Simply put, a Business Associate is a vendor or subcontractor who has access to PHI (Protected Health Information).

A more legalese definition of a Business Associate is any entity that uses or discloses PHI on behalf of a Covered Entity. Furthermore, a Business Associate is any person who, on behalf of a Covered Entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.

Read More

What is a Covered Entity?

A covered entity is anyone who provides treatment, payment and operations in healthcare.

Read More

What is the Final Omnibus Rule Update?

In September of 2013, the Final Omnibus Rule Update was passed that amended HIPAA and greatly expanded the definition of who needed to be HIPAA compliant.

Previously, only covered entities (such as doctors, hospitals, and insurers) were required to be HIPAA compliant. With the recent rule change however, all entities that store, manage, record or pass Protected Health Information (PHI) to and from covered entities are also required to be HIPAA compliant. These entities, called Business Associates, who were previously exempt from HIPAA, now fall under its governance.

Read More

What is the difference between PHI and Consumer Health Information?

The test is pretty simple: if your device or application currently shares or will share the user’s personal health data held in the app or device with a covered entity such as a doctor then you are dealing with protected health information and need HIPAA compliance software.

Read More


What is GDPR?

The General Data Protection Regulation is an extensive new law regulating the collection and use of personal data of individuals in the European Union, which comes into effect on 25 May 2018. GDPR replaces the Data Protection Directive of 1995, which was the EU’s first legal framework covering data security. In the 20 years since then, the explosion in the use of computers and the internet has contributed to a huge rise in the collection and processing of personal data. Unfortunately, this has also increased the potential for data theft and misuse. GDPR is therefore an attempt to deal with these threats, and update the law for the modern world

Read More

Do I need to be GDPR compliant?

If you are covered by GDPR, then not only will your customers expect you to be compliant, but your business partners may require it as a condition of their contracts. Moreover, the fines for breaching the Regulation are harsh, going up to 20,000,000 or 4% of your global turnover (whichever is higher). 

Read More

What are the penalties for breaching GDPR?

One of the biggest changes made by GDPR compared to the previous regime is the threat of potentially huge fines for breaches, going up to 20,000,000 or 4% of your global turnover, whichever is higher.

Read More

What are the ground for processing personal data under GDPR?

In Article 6, it is specified that processing (including collection) is only lawful if one of the following lawful grounds applies:

  1. The data subject has given their consent to the processing.
  2. The processing is necessary for the performance of a contract you have with the data subject, or to take steps requested by them in the lead up to entering a contract (such as preparing a quote).
  3. The processing is necessary to comply with a legal obligation.
  4. The processing is necessary to protect the data subject’s (or another persons) vital interests.
  5. The processing is necessary to perform a task in the public interest or in exercise of official authority.
  6. The processing is necessary to protect the organizations (or a third partys) legitimate interests.
Read More

What are the GDPR rules on consent?

GDPR has relatively strict requirements to establish that sufficient consent has been given (in Article 7). The seven principles are:

  • Consent must be clear
  • Consent must be informed
  • Consent must be freely given
  • Consent must be recorded
  • Consent for children
  • "Explicit" consent
  • Withdrawing consent
Read More

What are the rules on processing personal data under GDPR?

The Regulation sets out a number of principles governing the collection and use of personal data, following the overall philosophy of “data protection by design and by default”. 


Read More

What are the rights of data subjects under GDPR?

GDPR regulates the processing of personal data. One of the ways it does this is by restating and increasing the rights of data subjects, including the rights to access their data, to have it amended or deleted, and to have processing halted.

Read More

What are the rules on data breaches?

Data breaches include any access to, or destruction, loss, alteration or disclosure of personal data which is accidental, unauthorized or otherwise unlawful. In these cases, there are two main duties: Notify the authorities and notify the data subjects.

Read More

What does GDPR require in data processing agreements?

GDPR regulates the processing of personal data by imposing obligations on two types of organizations - data controllers and data processors. Data controllers set the agenda for processing, while data processors act on the instructions of data controllers. As well as regulating the activities of each of them (as detailed throughout this series), the Regulation also sets requirements for the relationship between them (in Article 28), including what the processing contract must contain.

Read More

What else does GDPR require?

GDPR is meant to be a complete code for dealing with personal data. As a result, it’s a long document filled with numerous requirements.  As such, there are a lot of disconnected regulations that are designed to protect personal data.  This resource is an explanation of the key principles we have yet to cover.

Read More