2024 Guide to HIPAA in Software Development

Understanding HIPAA compliance is critical for any software business operating in the healthcare space. Even if you are a third-party providing services to a company in the healthcare space, anywhere from a software development company to an accounting firm, you need to understand whether or not HIPAA compliance applies to your business. And, if HIPAA compliance applies to your business, you have to set your business up for success in abiding by HIPAA guidelines or potentially face steep penalties. The healthcare market is proliferating, expanding the number of companies that must abide by HIPAA. Projections measure the healthcare software market growing at a rate of 13%, leading to USD $79.56 billion by 2030. 

Like any software, the threat to private information is a significant problem in healthcare software development. The Healthcare Insurance Portability and Accountability Act (HIPAA) regulates the interaction of software apps with protected health information (PHI).  HIPAA is a federal law established in 1996, requiring all covered organizations and business associates to regulate their security practices and observe compliance with set standards.

HIPAA Terminology 101

Before we get into the nitty gritty details of HIPAA, it’s important to have an understanding of some basic terminology. In particular, understanding the different entity types that HIPAA refers to, as well as the legal agreements that join them together, is an important foundation.

There are essentially three main entity types that HIPAA deals with: covered entities, business associates, and business associate subcontractors. These entities have a relationship established through a legal document called a Business Associate Agreement (BAA).

Here are some of the basic terms you need to familiarize yourself with before diving into HIPAA compliance:

Protected Health Information (PHI)

Protected health information (PHI) is any information within medical records that were created in the course of providing a health care service and that can be used to identify an individual.

Covered Entities

Covered Entities are typically the entity that deals with protected health information.

Business Associates

Business Associates are third parties that the covered entity hires that have access to the PHI of the covered entity.

For an abounding definition of what is a business associate and the types of business associates in software development. 

Business Associate Subcontractors

Business Associate Subcontractors are third parties that are hired by business associates and that have access to the PHI of a covered entity.

Business Associate Agreement

The legal agreement binding covered entities, business associates, and business associate subcontractors together and ensuring that each will abide by the rules of HIPAA is called a Business Associate Agreement (BAA). Covered entities sign Business Associate Agreements with business associates and business associates sign BAAs with business associate subcontractors. Here is an illustration outlining the different entity types:

HIPAA Rules and Safeguards

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a United States federal law that necessitated the creation of national standards to protect sensitive patient health information.

The law modernized how healthcare information flows by declaring the need to protect personally identifiable information maintained by healthcare providers. Insurance industries should also protect PHI data from theft and fraud.

The US Department of Health and Human Services (HHS) further issued two main rules to facilitate the implementation of the HIPAA requirements. The rules include the following;

The HIPAA Privacy Rule

The HIPAA Privacy Rule addresses the use, sharing, and disclosure of protected health information (PHI) by covered entities. It sets standards for the rights of individuals to understand how their PHI is used, control how their PHI is used, and to receive copies of their health records upon request.

In software development, the Privacy Rule defines standards for patients’ rights to understand their health information and control how it’s used in healthcare apps.

The goal of the Privacy Rule is to enhance protection for the patient’s health information while ensuring a good flow of information required to promote top-notch healthcare. It also helps in the protection of the general public health and well-being.

The HIPAA Security Rule

The HIPAA Security Rule is of particular interest to anyone that works in software development. Unlike the Privacy Rule, which applies to PHI, the Security Rule only applies to electronically Protected Health Information, e-PHI. Thus, it is of particular interest in software, as e-PHI includes all PHI transmitted over the web.

There are three “safeguards” of the HIPAA Security Rule that every software company operating under the guidelines of HIPAA must be familiar with and meet the requirements:

1. Administrative Safeguards
2. Physical Safeguards
3. Technical Safeguards

Administrative Safeguards

The Administrative Safeguards essentially cover policies, procedures, and actions. They are to be established by a Covered Entity or a Business Associate that is operating under HIPAA. Some of the areas that the Administrative Safeguards cover are:

Physical Safeguards

The Physical Safeguards cover “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards and unauthorized intrusion.”

When addressing physical safeguards, Covered Entities basically need to think about physical access to anything that might contain ePHI, as well as effective access control and monitoring systems. This section includes:

Technical Safeguards

Technical Safeguards cover “the technology and the policy and procedures for its use that protect electronically protected health information and control access to it.”

Areas covered by Technical Safeguards include:

The HIPAA Breach Notification Rule

Under the Breach Notification Rule, HIPAA requires all covered entities and businesses to provide clear information in case of a breach of unsecured PHI.

According to the Department of Health and Human Services (HHS), a breach refers to unauthorized use and disclosure as dictated in the Privacy Rule compromising the security of the PHI. 

Business associates should notify covered entities when a breach occurs caused by or affects the business associates. After a covered entity discovers that a breach of PHI occurs, it must notify relevant parties without reasonable delay or within 60 days. If a breach contains the PHI of more than 500 people, the respective covered entity must notify a prominent media outlet serving the state or jurisdiction in which the breach occurred.

The HIPAA Omnibus Rule

The Omnibus Rule deals with a number of changes that were introduced to HIPAA in 2013. Arguably the most important one deal with business associates of covered entities. According to the Omnibus Rule, business associations can be directly audited or fined for noncompliance by DHHS. This means that business associates share legal and financial responsibility for abiding by HIPAA with the covered entities that they have Business Associate Agreements with. Naturally, this is a large change.

Understanding HIPAA Liability

It is important to understand how HIPAA can potentially impact your business. If you are a covered entity, a business associate, or a business associate subcontractor, then you are subject to HIPAA liability and, in the case of breaches, potential fines.

The Omnibus Rule (2013) outlined the fact that business associates can be audited or fined independently. This means that anyone signing a Business Associate Agreement should be fully aware of the risk that doing so represents to their business.

As of writing this, it is reported that the Office of Civil Rights has settled or imposed a civil money penalty in 126 cases resulting in a total dollar amount of $133,519,272.00.  OCR has investigated complaints against national pharmacy chains, major medical centers, group health plans, hospital chains, small provider offices, and more.

Lines of Responsibility

It is important to note exactly what a Business Associate Agreement covers, and which party is responsible for which pieces of the agreement each entity is responsible for. While it might seem at first that signing a Business Associate Agreement with a third party ensures that your data will be kept HIPAA-compliant with them, that is not necessarily always the case depending upon the nature of your relationship.

A good example of this can be seen with the Amazon AWS Shared Responsibility Model. Because AWS offers a ton of different cloud computing services, and those services can be configured in many different ways, it is virtually impossible for them to inspect every application they host and make sure that it is HIPAA compliant. Instead, what they guarantee is that Amazon’s hardware and software are HIPAA compliant. This does not mean that a software application is HIPAA compliant just because you use AWS to host it. You can configure a ton of poor practices into AWS architecture that is covered by a Business Associate Agreement. For example, if you do not implement SSL and allow data to transmit in free text, that is your fault under the Shared Responsibility model.

This is all to say that when you enter a Business Associate Agreement with a third party, it is good to understand what their business is responsible for versus your own.

Here you can see a complete updated guide to HIPAA-compliant architecture on AWS, and an overview of Amazon S3 HIPAA Compliance.

Civil Violations

The HITECH Act outlines 4 levels of fines that can be applied based on the particular situation. Factors that can affect the amount of the financial penalty include prior violation history, the financial health of the organization, and the level of harm caused.

A HIPAA violation occurs when a covered entity or business associate fails to comply with one of the HIPAA rules (Privacy, Security, Breach Notification). Violations can be deliberate or unintentional.

Level of Culpability	Minimum Penalty per Violation Type	Maximum Penalty per Violation Type	Annual Penalty Limit
Lack of Knowledge	$127	$30.133	$30,133
Lack of Oversight	$1,280	$60,973	$121,946
Willful Neglect	$12,794	$60,973	$304,865
Willful Neglect not Corrected within 30 days	$60,973	$1,919,173	$1,919,173

Criminal Violations

HIPAA violations can be criminal in nature, although this would be much rarer than civil penalties. The Department of Justice is responsible for prosecuting criminal HIPAA violations. The tiers of criminal penalties for HIPAA violations are:

Tier	Severity	Penalty
Tier 1	Reasonable cause or no knowledge of violation	Up to 1 year in jail
Tier 2	Obtaining PHI under false pretenses	Up to 5 years in jail
Tier 3	Obtaining PHI for personal gain or with malicious intent	Up to 10 years in jail

HIPAA Litmus Test: Do You Need to be Compliant?

If you already know that you are a covered entity, business associate, or business associate subcontractor, then the answer is yes, you need to be HIPAA compliant.

Typically, if you are new to HIPAA, there are a few ways that your business might initially be exposed to HIPAA requirements:

1. You are creating a business that will deal with protected health information.
2. A business that you are working with asks you to sign a Business Associate Agreement.
3. You are dealing with protected health information in any other way. 
   

 

For more related information with HIPAA, you can also check: