What to consider when developing and shipping HIPAA compliant software? (Part 1)

What to consider when developing and shipping HIPAA compliant software? (Part 1)

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by United States Congress in 1996. The act has five Titles which cover health insurance coverage for workers families, standards for electronic health care transactions, pre-tax medical expenditures, group health plans and finally company-owned life insurance policies. Out of the five Titles of HIPAA, the second Title known as the Administrative Simplification (AS) provisions is mostly related to data management where software developers and system administrators mostly deal with.

Evenset is a Toronto based company expert in building custom software for healthcare and medical industry. In the following series, we summarize the requirements and different approaches that need to be followed in order to become HIPAA compliant.

What does the Title II of HIPAA consist of?

Title II of HIPAA is the most comprehensive section of HIPAA and defines standards for protecting sensitive patient information. Any company, health care facility, hospitals, contractors and even subcontractors (covered entities) who work with Protected Health Information (PHI) must ensure that they meet the standards and follow all the regulations. Title II has five general rules:

1. Privacy Rule: This rule regulated the use and also disclosure of PHI. PHI generally refers to any kind of health-related data (health conditions, payments, etc.) held by covered entities that can be linked to an individual. In certain conditions, covered entities can disclose the PHI:
   1. Covered entities have to disclose the information to the patient upon their request within 30 days.
   2. In some circumstances (e.g report of child abuse) government officials may request access to those data as well.
   3. Covered entities should keep track of disclosed information.
   4. Covered entities may disclose PHI to other health providers without patient’s written consent. However, they have to try to keep the release information as minimum as possible.
2. Transaction and Code Sets Rule: One of the goals of HIPAA was to simplify the health care transactions between parties in a standardized way. This regulates sending billing information and encounter information between different parties or covered entities and the patient himself. The act also includes rules regarding transactions of retail pharmacy claims, benefits enrollment, payroll deducted, health care eligibility and benefits inquiry, and many more.
3. Security Rule: The security rule is a complementary rule to the Privacy rule. Privacy rule regulates all protected health information (PHI) regardless of their type (e.g paper or digital information), however, security rule mostly deals with electronic protected health information (ePHI). This section encompasses the most relevant regulations to what software development for medical industries deal with. Security rule has three main safeguards required for compliance:
   1. Administrative Safeguards: These policies dictate that organizations should have written privacy procedures and should appoint a privacy officer to maintain and develop the document. Procedures, on the other hand, should identify those employees who have access to ePHI data and implement different classes of access if necessary. Dealing with subcontractors and procedures in case of a breach of information should be implemented in this section as well.
   2. Physical Safeguards: These rules measure the physical access level to the protected data. For example, addition and removal of software and hardware to any facility should be regulated and monitored and only performed by authorized personnel. Access to the facility, visitor logs and any collaboration with third-party contractors should be regulated as well.
   3. Technical Safeguards:  These mostly control access to computers, codes and any infrastructure such as open networks where ePHI is stored or transferred through. In other words, data should be protected from unauthorized access by different methods such as encryption at rest and encryption at transfer, data integrity can be check by different methods such as validating signatures or checksums. All HIPAA practices, risk analysis and risk management programs should be documented and actively kept updated. And any future development plans should be implemented based on the documented policies and update them if necessary
4. Unique Identifier Rule: All covered entities and health care providers must use a National Provider Identifier (NPI) on all of their electronic transactions. NPI is a 10 digit national number which uniquely identifies the provider in the US. A provider usually has a single NPI, however, larger institutions can obtain multiple NPIs for their sub-parts.
5. Enforcement Rule: These are the rules which enforce civil money penalties in case of violating HIPAA rules.  Any complaints against any type of businesses, including pharmacy chains, insurance group, large health care centers and other small providers will be investigated. The common violations are:
   1. Misuse and disclosure of PHI
   2. Failing to implement any protection of PHI
   3. No means of access for the patient to obtain their data
   4. Disclosing more than the minimum necessary protected data
   5. Failing to implement any protection of ePHI

In the next chapter, we will mostly cover the technical safeguards of the Security Rule and the best practices to develop HIPAA compliant software.