HIPAA

Anyone developing software for the healthcare industry faces the constant need to comply with the Health Insurance Portability and Accountability Act—more commonly known as HIPAA, and the cornerstone of privacy and security for personal health information. 

HIPAA specifies the privacy rules for healthcare records and other medical data. Any business working in the healthcare sector must keep HIPAA compliance in mind, from hospital systems to health insurance plans to medical device makers and many more.

And yes, that includes software development firms working in healthcare, and their subcontractors too. 

In this article, we’ll share a HIPAA compliance checklist that software developers can use to assure that the software they create for healthcare organizations meets all compliance requirements.

What Does HIPAA Mean For Software Developers?

Software developers are expected to adhere to HIPAA compliance requirements if their solutions collect, process, transmit, or provide data storage of electronically protected health information (ePHI). 

The types of ePHI include: 

1. Names
2. Geographical identifiers
3. Dates 
4. Phone or fax numbers
5. Email addresses
6. Social Security numbers
7. Medical record numbers
8. Beneficiary information
9. Account numbers
10. Certificate/license numbers
11. Vehicle identifiers
12. Device identifiers 
13. Uniform Resource Locators (URLs) or Internet Protocol (IP) address numbers
14. Biometric identifiers
15. Full face photos

Furthermore, HIPAA requires what’s known as a “business associate contract” (or “business associate agreement”) which applies to software developers in this industry.

This is a written agreement that specifies each party’s responsibilities pertaining to ePHI, and assures an organization that the covered entities involved will take all necessary steps to protect protected health information.

Furthermore, the Department of Health and Human Services (HHS) has the right to audit covered entities, business associates (BAs), and subcontractors to enforce HIPAA compliance.

Therefore, organizations must have a business associate agreement for all three parties (organization, software developer, and subcontractor) to meet the requirements of HIPAA.

The 5 HIPAA Enforcement Rules

1. The HIPAA Privacy Rule

The HIPAA Privacy Rule lists the requirements for protecting ePHI. Therefore, all types of ePHI listed above must be protected with administrative, technical, and physical safeguards.

The privacy rule lists access controls in which certain medical professionals can procure ePHI without authorization.  

The rule also defines the rights of patients. Patients can view or request their personal medical records, and request corrections of any inaccurate information.

2. The HIPAA Security Rule

The security rule details the requirements for security measures used to protect patient data and methods for identification, remediation, and prevention of data security breaches.

The security rule also specifies that covered entities must undergo periodic risk assessments and audits to assure their technical safeguards are reliable.

3. The HIPAA Enforcement Rule

The HIPAA Enforcement Rule defines the penalties for a data breach. Penalty amounts can vary depending on the number of medical records exposed and how many data breaches have occurred within an organization.

Fines can range from $100 to $50,000 for the first violation but can go as high as $1.5 million for subsequent breaches.

4. The Breach Notification Rule

This rule dictates that if a data breach affects fewer than 500 individuals, the organization is required to notify those individuals within 60 days. The affected business must also notify the Office For Civil Rights (OCR) within the HHS within 60 days of the new year after the breach.

If more than 500 individuals are involved in a data breach, then the organization is required to notify the public through news media channels. 

5. The Omnibus Rule

This rule, added in 2013, extends the obligations of “business associates”—that is, third parties that work with companies subject to HIPAA—to comply with the HIPAA rules while dealing with ePHI. This inclusion is especially important for software developers.

When Is a Solution Defined as HIPAA-Compliant?

All software that handles ePHI in any way should comply with the physical, technical, and administrative safeguards laid out in HIPAA regulations. 
To summarize the checklist below, a solution that uses ePHI should:

• restrict physical access of identifiable health information to authorized users only 
• be tested to assure the transmission of ePHI is secure
• encrypt data to prevent unauthorized access 
• include secure data storage methods

Checklist for HIPAA Compliant Software

1. User Authentication

To make your software HIPAA-compliant, you need to include at least two of the factors listed below:

• A password
• A security code
• Biometric credentials
• Access based on location

HIPAA-compliant software must also remember its users and must permit health professionals to procure patient data without being required to adhere to complex protocols every time they need to use the system.

2. Remediation Methods

A remediation plan must be implemented to assure patient data protection. It should include the following elements:

• All actions that will be taken to assure data security
• Clearly defined team member responsibilities
• Plans to address future challenges as they arise

3. Emergency Protocols

Unlike remediation plans, emergency protocols are those measures used during a breach. Yours should lay out the strategies and tactics that will be employed to keep patient records safe and limit damage during an attack. Emergency protocols should contain:

• A list of all the team members, their roles, responsibilities, and contact information
• Information for all the healthcare systems used by the software
• A step-by-step plan for responding to a cybersecurity attack
• Recovery procedures to be implemented once the threat has abated

Software developers must define all potential risks that may require emergency protocols to be implemented. Doing this will help your agency to be better prepared if and when an emergency occurs.

4. Authorization Monitoring

Software developers must assure that access functionality operates correctly at all times and should include:

• Activity logs and audit controls
• Automatic log-offs
• Access control in emergency situations

5. Data Backup

HIPAA also specifies that ePHI must be backed up by a dependable data storage solution so that data is protected in the event of a breach or disaster. Your backup solution must include:

• Redundancy
• Encryption
• Monitoring

ZenGRC Can Help Achieve HIPAA-Complaint Software

The HIPAA requirements that affect software developers within the healthcare industry run more than 115 pages long. Ensuring that you’re compliant with each applicable rule can be a real headache to do on your own. 

ZenGRC can help assure your organization does its due diligence in risk analysis and mitigation so your software can meet all compliance requirements, whether they be for HIPAA, NIST, HITECH, or any other healthcare-related requirements.

ZenGRC’s functionality can help you to implement self-audits. Its easy-to-use dashboard provides an integrated view of HIPAA-regulated data, compliance, and services, showing where your gaps are in your solution and how to fill them.

Also, as a developer, you’ll appreciate that our software updates itself automatically as compliance laws change so you can be sure that you’re never behind the compliance curve.

Worry-free HIPAA compliance is the Zen way! Learn how ZenGRC can help you achieve compliant software by booking a demo today.

Healthcare is among the most highly regulated industries in the United States. Hospital systems, medical practices, and related healthcare organizations accumulate huge troves of sensitive information about their patients—medications, procedures, testing results, and more—which all qualify as protected health information (PHI) that must be secured from unauthorized use. 

The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, first defined how PHI must be handled. The law was further updated in 2003 with the HIPAA Privacy Rules, followed by the HIPAA Security Rules in 2005. 

Those two sets of rules address different aspects of keeping patient information secure. The HIPAA Privacy Rules focus on protecting data and establishing rules for what and how patient information may be shared; the HIPAA Security Rules focus on the technical aspects of how to keep patient data secure and confidential (for example, by imposing stringent cybersecurity requirements and other data protection measures).

Alas, things still go wrong, and HIPAA data breaches still happen. As hackers become more proficient and clever with their attack strategies, the potential harm of a breach keeps increasing. 

In this post, we’ll review how to perform a HIPAA risk assessment and provide some guidelines for how to get started. 

What are the 4 elements of a risk assessment?

Regardless of your industry, the four basic elements of risk assessment are the same. Let’s break them down in terms of how they relate to HIPAA and the healthcare industry:

• Identify the assets at risk. This would be any type of protected health information, such as patient data, personal information, date of birth, addresses, and insurance information.
• Perform the risk analysis. it’s important to identify the specific types of potential risks you face. Healthcare providers are prime targets because the electronically protected health information they possess is so richly detailed; that makes the information quite useful for people seeking unauthorized access. The goal here is to identify different risk levels. For example, data on protected servers inside your office are probably at lowest risk, while third-party vendors or other business associates with access to your systems are probably the highest. 
• Determine the probability of the specific risk and its likely impact. What’s more likely: a cyber attack, or your building will get hit by a tsunami? Actuarial models can help you figure out the probability of specific risks, and a review of your technical safeguards, cybersecurity system, and data handling procedures should give you a good sense of which risks are most likely and most harmful. The impact of a potential risk should be measured not only in the financial damage it could inflict, but also the cost of remediation (see below) and the significant cost to your company’s image if you suffer a major data breach. 
• Determine the cost of an appropriate solution. Your risk management plan should help you identify the appropriate level of security you should implement. For example, what is the worst-case scenario, and what is the associated cost of remediation? Clearly the company shouldn’t invest in expensive solutions for risks that pose little harm or are extremely rare; risk assessment should help you determine which solutions are worth the investment, given the probability and potential harm. 

How do you develop a HIPAA risk assessment in healthcare and what should its scope be? 

It may help to think of a HIPAA risk analysis as a HIPAA compliance audit. In that case, the first step is to take an in-depth look at your current system. Who handles protected health information (PHI)? Which systems does HIPAA data flow through, and are those systems secure enough? If you have added remote workers due to the pandemic, do a separate security risk assessment of the remote access process, VPN connections, and any hardware located off premises. 

The scope of your HIPAA risk assessment is determined by the various phases of the “data lifecycle” as HIPAA data travels through your IT systems: 

• How does your business receive PHI? It may come in many forms, such as faxes, text messages, emails, phone calls, and physical letters or files arriving via a delivery service or mail; it might also come directly from another provider’s database. (Make sure you have strong business associate agreements in place to govern such relationships.) 
• How does PHI travel through your internal system? Once a piece of data is in your possession, determine exactly where it goes. This includes having a strictly monitored mail routine, protected servers and workstations, and clear policies around using electronic calendars or mobile devices. Make sure your information technology software is up to date. 
• If you work with other business associates or third party contractors, how do you transfer PHI to them and how they receive it? For instance, do you have sufficient encryption to meet HIPAA standards, and have you appropriately enacted other security measures? 

Once you’ve examined these areas and determined the lifecycle of data in your system, you may discover weak areas where a tougher audit—such as a HIPAA security risk analysis—is required, to expose all the potential threats to your data. And you will have a good sense of where and how PHI may leak from your system. 

What should a HIPAA risk assessment template include, and what type of questions are required in a HIPAA risk assessment?

Guidance about how to construct a HIPAA risk assessment template is voluminous, and often confusing. One good place to start is with the HIPAA Security Risk Assessment (SRA) tool developed by the Office of the National Coordinator of Health and Information Technology (ONC) and the Office for Civil Rights. That tool is designed to help especially smaller and mid-size healthcare providers develop proper HIPAA compliant standards for securing electronic protected health information (ePHI).

According to the HIPAA SRA, your template should include questions such as, “Have you identified the e-PHI within your organization? What are external sources of e-PHI?” and “What are the human, natural, and environmental threats to the information system that contain the e-PHI?” 

It may be helpful to develop or download a specific template, but remember that the final documentation for your compliance with the HIPAA security rule doesn’t have to be submitted in a specific format.

How often is a HIPAA risk assessment required?

To comply with both the HIPAA Privacy Rules and the HIPAA Security Rules, you should conduct a HIPAA risk assessment and review the findings annually. A new risk assessment report may be necessary if the lifecycle of data in your system changes, or if a business associate or third-party vendor changes its own data handling procedures. A HIPAA-compliant business should be able (at any time) to show that a current risk assessment report and to demonstrate that all appropriate safety measures have been taken.

Cybersecurity and compliance management tools

As you steer your business through the pandemic and our highly interdependent world, many tools can help keep your business safe, in compliance and your information secure.

ZenGRC’s compliance management, risk and workflow management software is an intuitive, easy-to-understand platform that not only keeps track of your workflow, but also easily identifies areas of high risk before that risk has manifested as a real threat. 

Worry-free compliance management is the Zen way. For more information on how ZenGRC can enable your CMS, contact us for a demo.

The security of healthcare data doesn’t always get the same consideration as other types of cybersecurity. Perhaps that shouldn’t be surprising: the stakes in many healthcare facilities are literally life and death, and data security can sometimes fall to the wayside.

The truth, however, is that healthcare data security is critically important. That’s both because of the unique type of information that can be stolen from healthcare facilities, and because of the significant damage a cyber attack can inflict on patients’ quality of care.

Electronic Health Records Are Uniquely Valuable

It’s true that electronic protected health information (ePHI) stolen via healthcare data breaches has less monetary value on the black market than, say, a credit card number. What’s important, however, is that healthcare data remains constant over time.

That is, a stolen credit card can be canceled, rendering the credit card number useless. A person’s name, date of birth, and medical history, on the other hand-that information doesn’t change. Electronic health records (EHRs) are specifically designed to be shared among healthcare providers, to provide the best possible care the least cost. The ability to share health information allows medical professionals to do their jobs efficiently, but without appropriate data protections in place, electronic medical records can fall into the wrong hands and cause long-term disruption for the victims.

The permanent nature of healthcare information makes it all the more valuable to cybercriminals. The wide variety of personal data included in medical records can lead to identity theft or other forms of fraud.

Medical Facilities Have Distinct Vulnerabilities

The healthcare industry also has unique cybersecurity vulnerabilities that are important to consider. Most healthcare organizations have a large number of unauthorized people-more commonly known as “patients” and “visitors”-who are able to move freely within the facility. This increases the possibility of physical access to restricted areas and systems.

Another potential security risk could be the hospital’s own staff. A majority of medical security breaches originate via phishing attempts. A doctor or nurse who’s tired and distracted by the job at hand may inadvertently open a seemingly harmless email that could bring ransomware attacks, resulting in the loss of otherwise protected health information.

Next are medical devices. Most devices are expensive and are built to last for a long time. Manufacturers often focus on the machine’s particular task, rather than data security. As such, medical devices can be insecure from the start, and difficult to update as attack methods evolve.

Healthcare tools and devices are also increasingly a part of the Internet of Things (IoT)-and while IoT-enabled medical devices are an important breakthrough in medical care, they also created a new world of potential security risks. As these IoT devices become more widely used, facilities need to be aware of the potential risks and how vulnerable the operating systems can be for healthcare security.

Healthcare Providers Aren’t Focused on Data Security

Many healthcare providers are unaware of these risks and can be reluctant to make changes that might interfere with patient care. After all, those changes can be time consuming and expensive, while operating budgets are tight.

Medical professionals do need quick and easy access to their patient information, but a balance should be struck between accessibility and security. Healthcare providers have an important responsibility to the community. Part of that responsibility is protecting patients’ sensitive data. Patient records should be treated as an extension of the patient themselves and held to the same standard of care.

HIPAA Compliance Depends on Strong Data Security

The Health Insurance Portability and Accountability Act was created in 1996 to regulate the use and storage of protected health information (PHI). HIPAA compliance is required of organizations that are defined as covered entities (those that transmit and collect PHI) and business associates (those that have access to the data of covered entities). A number of additions and changes have been made to the HIPAA regulations since its inception, notably the Privacy Rule in 2003 and the Security Rule in 2004. These two rules have much in common, but the latter was created explicitly for the protection of ePHI.

The Security Rule provides organizations with standards that must be met to prove that personal health information is protected. Violations of these standards can result in fines and possible jail time. Full HIPAA compliance requires you to adhere to the Security Rule, so make sure the appropriate security measures are in place to protect all healthcare information in your care.

The costs of investigating and responding to healthcare security breaches can be enormous. To protect your company and your patients, it’s important to consider healthcare data security from the start, before it becomes an issue. ZenGRC is a streamlined platform built to keep you on top of your compliance and data governance. Schedule a demo today and learn more about how ZenGRC can help keep your PHI secure.