In the old days, things like privacy, security, and compliance rarely played a central role in the development of mobile apps and other software. Instead, they were normally tacked on later. Today, however, software developers need to incorporate these features by design and default, and they need to start thinking about them from the moment they start writing the first line of code.
While HIPAA, given that it’s been around since 1996, doesn’t cover the details about security by design, it does require all relevant parties to take every reasonable step to protect patient health information (PHI). It’s much easier to do that if you pay close attention to the process when developing apps, deploying cloud computing systems, or integrating APIs. That’s why the Office for Civil Rights (OCR) has recently published a new list of resources for developers.
Are you a business associate under HIPAA?
App developers and systems integrators often don’t think of themselves as being subject to specialized compliance directives like HIPAA. However, if you’re developing software for use in the healthcare sector, chances are you will need a business associate agreement with any future customers. The exact details depend on the use case, though. For example, if your app is going to collect, process, or transmit any PHI, then it must be HIPAA-compliant.
HIPAA defines healthcare providers themselves as covered entities, but any party that handles potentially sensitive information on their behalf must sign a business associate agreement. If, however, you are simply developing an app for use in healthcare, but aren’t going to be hosting any PHI yourself, then you probably won’t need to be compliant. However, achieving HIPAA compliance in the capacity of a business associate will undoubtedly help to validate your effort to put security and privacy first. That in itself is a major selling point, especially in healthcare.
What you need to know about access rights and APIs
Whether HIPAA compliance is a legal necessity or simply a nice-to-have depends on your relationship with a covered entity. For example, if your app collects PHI on behalf of a covered entity, and that data ends up being stored on a system you own and operate, then you need to have a business associate agreement. This also means you need a structured and compliant method to oversee access rights and ensure that only compliant parties can access the data.
HIPAA does allow for some exceptions. For example, an individual may request that their PHI be redirected through an unsecure channel as a matter of convenience. That being said, you should always ensure your app provides complete end-to-end encryption if it’s being targeted toward the healthcare sector. Access rights should also be established to reduce the risk of a data breach or other unauthorized access. For example, multifactor authentication can add a second layer of security by verifying user identities before users can access PHI or connect to an external API.
What about HIPAA and cloud computing?
The OCR has also published guidance on HIPAA and cloud computing. This is also important for most mobile health app developers, since most mobile apps include a cloud element, such as online storage and data synchronization. The advice also applies to any organization that plans to migrate any of their PHI systems to a cloud-hosted environment.
Since HIPAA legislation came into force long before cloud computing entered the mainstream, the law itself doesn’t make any mention of cloud-specific compliance controls. The OCR offers detailed guidance on key factors like access rights, security controls, and service level agreements (SLAs) pertaining to cloud software developers and systems integrators. It also explains the breach notification rules and how they apply to cloud computing use cases.
Finally, the new resources also include a regularly updated list of frequently asked questions about healthcare IT to keep you up to speed with developments.
Online Computers recently partnered with compliance software experts to develop an all-in-one compliance platform called The Guard. Download our flyer today to learn more.
Ensure a productive remote workforce!
Enter your name and email address on the respective fields on the right to receive our FREE guide to ensuring your staff's productivity while working remotely.