HIPAA – Health Insurance Portability and Accountability Act (HIPAA) 1996 sets the standard for protecting sensitive patient data. The HIPAA rules are applied to any organization based in the United States which deals with health information of a person.
If you are developing a Healthcare application that is programmed to collect personal data about the person using it for the exclusive use of that person only, then the application is not subject to HIPAA compliance for medical software applications.
If however, the personal data collected will be shared with a medical professional or other HIPAA Covered Entity (a healthcare insurance organization etc), then the data is considered to be Protected Health Information (PHI) and the application needs to be HIPAA compliant. HIPAA compliance ensures that any organization that deals with PHI must make sure that all the required physical, network, and process security measures are maintained and followed.
The three major provisions addressed in the HIPAA law are: Portability, Medicaid Integrity Program (MIP) / Fraud & Abuse and Administrative Simplification.
When developing any HIPAA compliant healthcare application, it’s only the third provision that needs to be maintained and followed. The Administrative Simplification provision implements rules across the healthcare industry for standard transaction & code sets, identifiers, security and privacy.
The five major Standards or Rules maintained under HIPAA Administrative Simplification Regulations are: Privacy Rule, Security Rule, Transactions & Code Sets (TCS) Rule, Unique Identifiers Rule and Enforcement Rule.
The HHS requires an organization hosting sensitive patient data to follow certain guidelines with regard to physical and technical safeguards.
The physical safeguards include:
The technical safeguards of HIPAA require access control allowing only authorized personnel to access ePHI.
Access controls include:
Other technical policies for HIPAA compliance cover integrity controls, or measures to be followed to confirm that ePHI is not altered or destroyed.
IT disaster recovery and offsite backup are the essential components that ensure that electronic media errors and failures are quickly rectified so that patient health information is recovered accurately and intact.
The endmost technical safeguard is network, or transmission security that ensures HIPAA compliant hosts protect against unauthorized access to Health Information that is ePHI. This addresses all methods of data transmission, including email, internet, or private network.
A HIPAA violation is a breach in an organization’s compliance program that compromises the integrity of PHI or ePHI. Under the HIPAA Privacy Rule, any organisation falling victim to a healthcare data breach, as well as failing to give a patient’s access to their PHI, could result in a fine from OCR (Office for Civil Rights).
Implementing HIPAA regulations in an application could result in increase of product cost. This involves incorporating and applying physical and technical guidelines for safeguarding the Protected Health information which is required to maintain the quality of the required healthcare application.