Recently, our friend, Chris Bowen, Founder and Chief Privacy and Security Officer for ClearDATA, wrote a great article for Network World detailing the 9 Keys to Having a HIPAA-Compliant Cloud. While some of Chris’ “9 Keys” were operational – like disaster recovery and establishing a proper business associate agreement – quite a few fell under the scope of product development.
As a developer of HIPAA-compliant software, we thought we’d expand on the development considerations that Chris introduced in his list. Below we offer our take on five application and product considerations for HIPAA-compliant software development:
- Implement audit controls: Under the HITECH Act, the HHS has mandated external audits to ensure that healthcare software remains in compliance with HIPAA standards. This means that one of the key considerations for a HIPAA-compliant product is a logging infrastructure that facilitates regulatory compliance. Tools like as AWS’ CloudTrail and DVmobile's DVblueprint can help log API calls, so if an audit is requested, these tools offer evidence of compliance. However, if any Personal Health Information (PHI) is included, data encryption is recommended (see #4 below).
- Identity and Access Management Controls: HIPAA requires central identity management and necessitates the close control of access to data. Thus, to develop HIPAA-compliant software, product engineers must consider how the software will track users, logins, activity, and changes. The key for product development is to design identity and access controls that are safe but not so onerous that they negatively impact patient care. Developers have to balance the HIPAA requirements against the user personas and real-time needs.
- Access Controls: In the same vein as number two, another significant product consideration is how software can help healthcare organizations achieve access control – who has access to information and when access is available. This requirement is part of the first Technical Safeguard Standard of HIPAA’s Administrative Simplification Security Rule, and includes features like:
- Unique user identification
- Role-based authorization
- Emergency access
- Automatic logoff
Product developers need to consider the roles of all end users to develop role-based access functionality. For example, a hospital administrator might not have the same access to patient diagnoses as a doctor would. Similarly, a doctor might not have the same access to patient financial information as an administrator might. Navigating these roles and developing infrastructure to accommodate a variety of role-based needs is critical for HIPAA compliant software development.
- Encrypt PHI and other sensitive data: Encryption of PHI data is not required by HIPAA. But, while it’s not specifically mandated, implementing a mechanism to encrypt and decrypt PHI data is a best practice for healthcare software development. We agree with Chris Bowen when he says that healthcare software solutions should encrypt PHI and other sensitive data in transit or at rest using a purpose-designed approach. This helps organizations mitigate unauthorized access to sensitive data, thus protecting them from financial risk and liability in the event of a data breach.
- Ensure transmission security: Just as with encryption and decryption, transmission security is not a requirement for HIPAA-compliant software. But again, it is a best practice. When developing HIPAA-compliant software, product engineers must consider the technical security measures that need to be implemented within the application to guard against unauthorized access to information as it is being transmitted electronically. Products should be built with SSL and TLS certificates, as well as object keys where feasible.
These are just five of the keys to developing HIPAA-compliant software. Click here for more information about how DVmobile works with healthcare partners to dream up, design, and develop innovative healthcare solution.