Published February 23, 2021 • By Reciprocity

Anyone developing software for the healthcare industry faces the constant need to comply with the Health Insurance Portability and Accountability Act—more commonly known as HIPAA, and the cornerstone of privacy and security for personal health information. 

HIPAA specifies the privacy rules for healthcare records and other medical data. Any business working in the healthcare sector must keep HIPAA compliance in mind, from hospital systems to health insurance plans to medical device makers and many more.

And yes, that includes software development firms working in healthcare, and their subcontractors too. 

In this article, we’ll share a HIPAA compliance checklist that software developers can use to assure that the software they create for healthcare organizations meets all compliance requirements.

What Does HIPAA Mean For Software Developers?

Software developers are expected to adhere to HIPAA compliance requirements if their solutions collect, process, transmit, or provide data storage of electronically protected health information (ePHI). 

The types of ePHI include: 

  1. Names
  2. Geographical identifiers
  3. Dates 
  4. Phone or fax numbers
  5. Email addresses
  6. Social Security numbers
  7. Medical record numbers
  8. Beneficiary information
  9. Account numbers
  10. Certificate/license numbers
  11. Vehicle identifiers
  12. Device identifiers 
  13. Uniform Resource Locators (URLs) or Internet Protocol (IP) address numbers
  14. Biometric identifiers
  15. Full face photos

Furthermore, HIPAA requires what’s known as a “business associate contract” (or “business associate agreement”) which applies to software developers in this industry.

This is a written agreement that specifies each party’s responsibilities pertaining to ePHI, and assures an organization that the covered entities involved will take all necessary steps to protect protected health information.

Furthermore, the Department of Health and Human Services (HHS) has the right to audit covered entities, business associates (BAs), and subcontractors to enforce HIPAA compliance.

Therefore, organizations must have a business associate agreement for all three parties (organization, software developer, and subcontractor) to meet the requirements of HIPAA.

The 5 HIPAA Enforcement Rules

1. The HIPAA Privacy Rule

The HIPAA Privacy Rule lists the requirements for protecting ePHI. Therefore, all types of ePHI listed above must be protected with administrative, technical, and physical safeguards.

The privacy rule lists access controls in which certain medical professionals can procure ePHI without authorization.  

The rule also defines the rights of patients. Patients can view or request their personal medical records, and request corrections of any inaccurate information.

2. The HIPAA Security Rule

The security rule details the requirements for security measures used to protect patient data and methods for identification, remediation, and prevention of data security breaches.

The security rule also specifies that covered entities must undergo periodic risk assessments and audits to assure their technical safeguards are reliable.

3. The HIPAA Enforcement Rule

The HIPAA Enforcement Rule defines the penalties for a data breach. Penalty amounts can vary depending on the number of medical records exposed and how many data breaches have occurred within an organization.

Fines can range from $100 to $50,000 for the first violation but can go as high as $1.5 million for subsequent breaches.

4. The Breach Notification Rule

This rule dictates that if a data breach affects fewer than 500 individuals, the organization is required to notify those individuals within 60 days. The affected business must also notify the Office For Civil Rights (OCR) within the HHS within 60 days of the new year after the breach.

If more than 500 individuals are involved in a data breach, then the organization is required to notify the public through news media channels. 

5. The Omnibus Rule

This rule, added in 2013, extends the obligations of “business associates”—that is, third parties that work with companies subject to HIPAA—to comply with the HIPAA rules while dealing with ePHI. This inclusion is especially important for software developers.

When Is a Solution Defined as HIPAA-Compliant?

All software that handles ePHI in any way should comply with the physical, technical, and administrative safeguards laid out in HIPAA regulations. 

To summarize the checklist below, a solution that uses ePHI should:

  • restrict physical access of identifiable health information to authorized users only 
  • be tested to assure the transmission of ePHI is secure
  • encrypt data to prevent unauthorized access 
  • include secure data storage methods

Checklist for HIPAA Compliant Software

1. User Authentication

To make your software HIPAA-compliant, you need to include at least two of the factors listed below:

  • A password
  • A security code
  • Biometric credentials
  • Access based on location

HIPAA-compliant software must also remember its users and must permit health professionals to procure patient data without being required to adhere to complex protocols every time they need to use the system.

2. Remediation Methods

A remediation plan must be implemented to assure patient data protection. It should include the following elements:

  • All actions that will be taken to assure data security
  • Clearly defined team member responsibilities
  • Plans to address future challenges as they arise

3. Emergency Protocols

Unlike remediation plans, emergency protocols are those measures used during a breach. Yours should lay out the strategies and tactics that will be employed to keep patient records safe and limit damage during an attack. Emergency protocols should contain:

  • A list of all the team members, their roles, responsibilities, and contact information
  • Information for all the healthcare systems used by the software
  • A step-by-step plan for responding to a cybersecurity attack
  • Recovery procedures to be implemented once the threat has abated

Software developers must define all potential risks that may require emergency protocols to be implemented. Doing this will help your agency to be better prepared if and when an emergency occurs.

4. Authorization Monitoring

Software developers must assure that access functionality operates correctly at all times and should include:

  • Activity logs and audit controls
  • Automatic log-offs
  • Access control in emergency situations

5. Data Backup

HIPAA also specifies that ePHI must be backed up by a dependable data storage solution so that data is protected in the event of a breach or disaster. Your backup solution must include:

  • Redundancy
  • Encryption
  • Monitoring

ZenGRC Can Help Achieve HIPAA-Complaint Software

The HIPAA requirements that affect software developers within the healthcare industry run more than 115 pages long. Ensuring that you’re compliant with each applicable rule can be a real headache to do on your own. 

ZenGRC can help assure your organization does its due diligence in risk analysis and mitigation so your software can meet all compliance requirements, whether they be for HIPAA, NIST, HITECH, or any other healthcare-related requirements.

ZenGRC’s functionality can help you to implement self-audits. Its easy-to-use dashboard provides an integrated view of HIPAA-regulated data, compliance, and services, showing where your gaps are in your solution and how to fill them.

Also, as a developer, you’ll appreciate that our software updates itself automatically as compliance laws change so you can be sure that you’re never behind the compliance curve.

Worry-free HIPAA compliance is the Zen way! Learn how ZenGRC can help you achieve compliant software by booking a demo today.