Healthcare Software: Is Your Outsourcing Company HIPAA Compliant?

The Healthcare Information Portability and Accountability Act (HIPAA) was enacted to help protect workers and their dependents who lost their insurance coverage due to a change in employment as well as to safeguard the confidentiality of patient's health information. The law requires any entity that prints, stores, reviews or otherwise has access to personally identifiable health information to take certain steps to keep the data secure.

HIPAA was enacted in 1996, before smartphones, tablets, wearable devices and cloud computing. Advances in technology have increased the difficulty of complying with the regulations. With the passage of the Health Information Technology for Economic and Clinical Health Act, commonly known as HITECH, the stakes have been raised. HITECH is intended to encourage the use of electronic health records by penalizing healthcare providers who do not make "meaningful use" of digitized records and rewarding those that do with the opportunity to receive incentive payments from the federal government.

The deadline for HITECH is 2015, which has left many providers scrambling to outsource software development. Since HITECH does not supersede HIPAA, all software developed to comply with HITECH must still comply with HIPAA.

However, it is important to remember that not every software project connected to health requires HIPAA compliance. The regulations apply to the use, storage, collection or dissemination of protected health information by an entity other than the individual. Thus, if you are developing a mobile app that allows an athlete to record his pulse rate or workout duration for his personal analysis, for example, HIPAA regulations do not apply. If, however, this same app has the ability to transmit the data to the team's physician, it must be HIPAA compliant, even if the option to transmit is never used.

Assuming that you have determined that the project requires HIPAA compliance, you must bear the responsibility for ensuring your operation is HIPAA compliant. HIPAA compliance requires safeguards that are classified as administrative, technical or physical. When developing a project that must be HIPAA compliant, you should ensure that your company meets the minimum standards in all three categories.

Administrative Duties

• Appoint a privacy officer
• Conduct an annual risk assessment
• Create or administer a program to train employees about HIPAA compliance
• If needed, execute a business associate agreement with any partner or subcontractor involved in the project
• Periodically review procedures and policies, updating as needed

Technical Duties

• The software must require a unique user ID or number that can identify and track activity.
• An authentication procedure must be included to verify that the user or entity accessing the program is the person or entity claimed.
• An emergency access procedure is mandatory for obtaining information during an emergency.
• The program should include an automatic log-off after a set period of inactivity.
• There must be a mechanism for encrypting and decrypting data.
• Security measures and integrity controls must be in place to ensure that data cannot be modified without detection for as long as the data exists.
• Audit controls are required to record activity and permit review.
  There should be an electronic mechanism to authenticate protected health information to make sure that it has not be subjected to unauthorized deletions or alterations.

Physical Safeguards

• A disaster recovery and contingency operations plan is required.
• There must be policies and procedures in place to protect the facility and information stored there from unauthorized physical access, theft or tampering.
• Access to data used for development or testing must be restricted to only those with a need for access, and this need should be validated.
• Modifications or repairs to the facility that could affect its physical security (such as locks, doors or hardware) must be documented.
• Policies and procedures must be implemented for the disposal of electronic media as well as the devices on which such media has been stored.
• Records of the movement of hardware (such as servers) and media (such as flash drives) must be maintained that include the person responsible for the movement.
• If equipment must be moved, a complete and retrievable copy of the data must be made prior to the move.
• Workstations must be secured so that only authorized users can access them.
• Policies and procedures are required that define which functions can be performed on a workstation, how those functions must be performed and the physical attributes of an individual workstation or category of workstations.

In addition to the basics of HIPAA compliance, there are certain indicators that clients may look for to feel secure with an outsourced developer.

• Security: Access to the area where protected data is stored should require two-factor authentication, such as swiping a badge and entering a code.
• Video surveillance: Video logs should be maintained for a minimum of three months.
• Visitors' log: Visitors should be required to sign in. There should be a direct match between the video logs and the visitors' log as far back as the last audit that confirmed the match.
• Documented procedures: Policies and procedures should be documented and consistent. If so, employees should be able to give consistent answers to questions about specific policies or procedures.

There is no concept of safe harbor in HIPAA. It does not matter whether you accidentally transmit data to an unauthorized recipient, allow an unauthorized employee to access protected health information or fail to maintain proper system security against hackers. You can face hefty fines of up to $50,000 for each record or violation, and in some cases, you could even face criminal charges. It is therefore essential that you ensure that your company (as well as any associates or subcontractors you use) are fully compliant with HIPAA.

At delaPlex Software, we take security very seriously. We are ISO-9001:2008 certified, so our clients have the assurance of working with a provider who utilizes the most stringent security policies.

Our development facilities employ the services of a qualified third-party for continuous audit to ensure HIPAA compliance. Staff members receive extensive training to make sure that the facility, equipment and all of our clients' data receive the protection that confidential information requires.