HIPAA for Software Developers
2020-02-25
If you are here reading this is because you need to handle protected health information (PHI) and you need to be HIPAA compliant. Disclaimer: this article is not a definitive list of what is required for HIPAA compliance; you should ask a Privacy Officer to review each rule with you just to be sure. Our intention is to make things clearer from a software development point of view, helping you avoid rookie mistakes and getting lost in the abundance of online HIPAA documentation.
A bit of history and HIPAA breakdown
First, a bit of history. The Health Insurance Portability and Accountability Act of 1996 was “created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage.” The act consists of five titles, but most of the time only title II is directly related with software development activities.
Title II splits itself in five rules:
- Privacy Rule
- Transactions and Code Sets Rule
- Security Rule
- Unique Identifiers Rule
- Enforcement Rule
Oversimplifying, this title covers the prevention of fraud and abuse and can be reduced to data protection and handling. That is probably the first area that comes to your mind when you think about HIPAA, together with patient privacy protection, security controls for health and medical records and other forms of protected health information (PHI).
Remember that HIPAA applies to all Business Associates (“BAs”) such as subcontractors, data storage companies, cloud providers, payment gateways, etc. As a rule of thumb, remember that “a person [or company] becomes a BA by definition, not by the act of contracting with a covered entity or otherwise.” So, you are a BA if you “perform functions or activities on behalf of, or certain services for, a covered entity or another BA that involve the use or disclosure of protected health information (PHI)”.
In the next sections we will be describing the most important Title II rules (from a software development point of view), putting more attention in the Privacy Rule, with the Breach Notification Rule introduced in the Omnibus Rules of 2013, and the Security Rule.
Privacy Rule
This rule establishes standards to protect individuals’ medical records and other PHI. It dictates how, when and under what circumstances PHI can be used and disclosed.
As stated by Truevault here, this rule requires BAs to do the following:
- Do not allow any impermissible uses or disclosures of PHI.
- Provide breach notification to the Covered Entity.
- Provide either the individual or the Covered Entity access to PHI.
- Disclose PHI to the Secretary of HHS [United States Department of Health and Human Services], if compelled to do so.
- Provide an accounting of disclosures.
- Comply with the requirements of the HIPAA Security Rule.
Another way to look at this rule is to think about what situations allow you to make use of PHI. Eligible summarized these six areas:
- When disclosed to the individual
- For treatment, payment and operations
- When permission is given
- When used incidentally
- In benefit of public interest
- When personally-identifiable information has been removed
The “used incidentally” sounds a bit strange, but the HHS gives this example: if “a janitor has contact with protected health information incidentally, such disclosure is permissible”, mostly “because the performance of such service does not involve the use or disclosure of [PHI].” The other rare area is the “benefit of public interest”, but this is the case when the disclosure is “required by law, victims of abuse, and law enforcement purposes”.
Regarding breach notifications (number 2 of the initial list), it was modified in the Omnibus Rule of 2013 together with final modifications of the HIPAA privacy and security rules. The Breach Notification Rule, 45 CFR §§ 164.400-414, “requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI”.
As stated here, “A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information”. Also “An investigation into the potential breach and notification to appropriate individuals must be conducted by the covered entity and/or business associate no later than sixty (60) day past the date of discovery”. Finally, there are scenarios where disclosure to the customer isn’t required (according to some law schools), but consulting with appropriate legal counsel is always highly recommended.
Security Rule
The Privacy Rule applies to all kinds of PHI; the Security Rule doesn't. It impacts only in electronic PHI (ePHI), laying out the requirements of the safeguards that must be in place to be compliant with it. All “HIPAA Covered Entities” (CEs) or BA who can access, create, alter or transfer ePHI must follow these standards. Those safeguards are:
- Technical Safeguards
- Physical Safeguards
- Administrative Safeguards
Safeguards summaries
TL;DR. The following tables are from the Appendix A to Subpart C of Part of the HIPAA Administrative Simplification document.
As stated here, if a specification is Required, the spec must be implemented. But if it´s Addressable, then you can: “(a) implement the addressable implementation specifications; (b) implement one or more alternative security measures to accomplish the same purpose; (c) not implement either an addressable implementation specification or an alternative.”
Technical safeguards (§ 164.312)
Standards |
Sections |
Implementation Specifications |
(R)=Required, (A)=Addressable |
Access Control |
164.312(a)(1) |
||
Unique User Identification |
R |
||
Emergency Access Procedure |
R |
||
Automatic Logoff |
A |
||
Encryption and Decryption |
A |
||
Audit Controls |
164.312(b) |
R |
|
Integrity |
164.31 (c) (1) |
Mechanism to Authenticate Electronic Protected Health Information |
A |
Person or Entity Authentication |
164.312(d) |
R |
|
Transmission Security |
164.312(e)(1) |
Integrity Controls |
A |
Encryption |
A |
Physical safeguards (§164.310)
Standards |
Sections |
Implementation Specifications |
(R)=Required, (A)=Addressable/p> |
Facility Access Controls |
164.310(a)(1) |
Contingency Operations |
A |
Facility Security Plan |
A |
||
Access Control and Validation Procedures |
A |
||
Maintenance Records |
A |
||
Workstation Use |
164.310(b) |
R |
|
Workstation Security |
164.310(c) |
R |
|
Device and Media Controls |
164.310(d)(1) |
Disposal |
R |
Media Re-use |
R |
||
Accountability |
A |
||
Data Backup and Storage |
A |
Administrative safeguards (§164.308)
Standards |
Sections |
Implementation Specifications |
(R)=Required, (A)=Addressable |
Security Management Process |
164.308(a)(1) |
Risk Analysis |
R |
Risk Management |
R |
||
Sanction Policy |
R |
||
Information System Activity Review |
R |
||
Assigned Security Responsibility |
164.308(a)(2) |
R |
|
Workforce Security |
164.308(a)(3) |
Authorization and/or Supervision |
A |
Workforce Clearance Procedure |
A |
||
Termination Procedures |
A |
||
Information Access Management |
164.308(a)(4) |
Isolating Health care Clearinghouse Function |
R |
Access Authorization |
A |
||
Access Establishment and Modification |
A |
||
Security Awareness and Training |
164.308(a)(5) |
Security Reminders |
A |
Protection from Malicious Software |
A |
||
Log-in Monitoring |
A |
||
Password Management |
A |
||
Security Incident Procedures |
164.308(a)(6) |
Response and Reporting |
R |
Contingency Plan |
164.308(a)(7) |
Data Backup Plan |
R |
Disaster Recovery Plan |
R |
||
Emergency Mode Operation Plan |
R |
||
Testing and Revision Procedure |
A |
||
Applications and Data Criticality Analysis |
A |
||
Evaluation |
164.308(a)(8) |
R |
|
Business Associate Contracts and Other Arrangement |
164.308(b)(1) |
Written Contract or Other Arrangement |
R |
Annex - Security Safeguards - Complete list
Technical safeguards
These safeguards are focused on the technology that protects PHI and controls access to it without requiring the use of specific technologies (technology neutrality).
- Access Control
- Required
- Unique User Identification: “Assign a unique name and/or number for identifying and tracking user identity.”
- Emergency Access Procedure: “Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.”
- Addressable
- Automatic logoff: “Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.”
- Encryption and Decryption: “Implement a mechanism to encrypt and decrypt electronic protected health information.”
- Required
- Audit Controls
- Required
- Audit controls: “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
- Required
- Integrity
- Addressable
- Implementation specification. Mechanism to authenticate electronic protected health information: “Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.”
- Addressable
- Authentication
- Required
- Person or entity authentication: “Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”
- Required
- Transmission Security
- Addressable
- Integrity Controls: “Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.”
- Encryption: “Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.”
- Addressable
Physical safeguards
These are a set of rules and guidelines that focus on the physical access to PHI.
- Facility Access Controls
- Addressable
- Contingency Operations: “Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.”
- Facility Security Plan: “Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.”
- Access Control and Validation Procedures: “Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.”
- Maintenance Records: “Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).”
- Addressable
- Workstation Use
- Required
- Workstation use: “Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.”
- Required
- Workstation Security
- Required
- Workstation security: “Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.”
- Required
- Device and Media Controls
- Required
- Disposal: “Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.”
- Media Re-Use: “Implement procedures for removal of electronic protected health information from electronic media before the media are made available for reuse.”
- Addressable
- Accountability: “Maintain a record of the movements of hardware and electronic media and any person responsible therefore.“
- Data Backup and Storage: “Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.”
- Required
Administrative safeguards
These safeguards are a collection of policies and procedures that govern the conduct of the workforce, and the security measures put in place to protect ePHI.
- Security Management Process
- Required
- Risk Analysis: “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”
- Risk Management: “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).”
- Sanction Policy: “Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.”
- Information Systems Activity Reviews: “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”
- Required
- Assigned Security Responsibility
- Required
- Officers: “ Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate.”
- Required
- Workforce Security
- Addressable
- Authorization and/or supervision: “Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.”
- Workforce clearance procedure: “Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.”
- Termination procedures: “Implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section.”
- Addressable
- Information Access Management
- Required
- Isolating health care clearinghouse functions: “If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.”
- Addressable
- Access authorization: “Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.“
- Access establishment and modification: Implement policies and procedures that, based upon the covered entity's or the business associate's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.
- Required
- Security Awareness and Training
- Addressable
- Security reminders: “Periodic security updates.”
- Protection from malicious software: “Procedures for guarding against, detecting, and reporting malicious software.”
- Log-in monitoring: “Procedures for monitoring log-in attempts and reporting discrepancies.”
- Password management: “Procedures for creating, changing, and safeguarding passwords.”
- Addressable
- Security Incident Procedures
- Required
- Response and reporting: “Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.”
- Required
- Contingency Plan
- Required
- Data backup plan: “Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information”
- Disaster recovery plan: “Establish (and implement as needed) procedures to restore any loss of data.”
- Emergency mode operation plan: “Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.”
- Addressable
- Testing and revision procedures: “Implement procedures for periodic testing and revision of contingency plans.”
- Applications and data criticality analysis: “Assess the relative criticality of specific applications and data in support of other contingency plan components.”
- Required
- Evaluation
- Required
- Evaluations: “Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart.”
- Required
- Business Associate Contracts and Other Arrangements
- Required
- Written contract or other arrangement: Have special contracts with business partners who will have access to your PHI in order to ensure that they will be compliant. Choose partners that have similar agreements with any of their partners to which they are also extending access.
- Required
Acknowledgments
This post was written for Vairix Software Development, so I want say thanks to them for let me share this with you in my homepage.
Further Reading
Significant Revisions
Feb 25, 2020: Original publication on vairix.com
Jul 07, 2020: Original publication on dariomac.com