
How HIPAA Affects Your Software
- By Joseph Pitman
- Software Quality Assurance & Tech Writer
What is HIPAA?
The Health Insurance Portability and Accountability Act, or HIPAA, is a law established in 1996 for the purpose of protecting the private healthcare information of U.S. citizens. You could look at it as the legal barrier that prevents healthcare providers, businesses, or other organizations from accessing and sharing your private health information without your explicit consent.
You’ve probably heard the term used when visiting a clinic for a regular checkup, or at the hospital. Those kinds of locations and situations are the most common places for HIPAA to be applicable, but as this article will soon detail, HIPAA doesn’t just apply to hospitals and your local family pediatricians.
In fact, HIPAA is a matter that concerns nearly every business and industry to some extent, even businesses that don’t have anything to do with the medical industry. For instance, if you enroll in your workplace’s healthcare benefit plan, HIPAA may come into play to help protect the privacy of your medical history and ongoing healthcare concerns. Moreover, if you are injured in the workplace, that business is typically required by OSHA to maintain a record of that injury which also needs to maintain HIPAA privacy compliance.
This all gets more complicated as the digital world comes into the picture, especially if a business intends on minimizing any kind of physical records by making digital variants instead, including digital records of workplace injuries and illnesses. HIPAA applies to these digital records just the same as any physical record.
PHI and PII
PHI, or Protected Health Information, is any medical record, health information, or other patient data that can be personally identified. For example, a treatment plan for a particular person wherein said person is identified in the plan. Typically, any form of medical history is considered PHI, and is meant to be strictly confidential except wherein HIPAA permits.
In contrast, PII, or Personal Identifiable Information, is any information or record which can be used to identify, locate, or contact an individual. This can be anything personal, including gender, ethnicity, skin color, name, birthplace, address (including past addresses), etc. This information doesn’t even need to be explicit, so long as it can be used to identify the person. For example, if your company is made up of 90% men and 10% women, then any information that specifically identifies a woman within your company (despite not including any other identifying information) could be considered PII since the number of potential candidates in which that information is identifying is uniquely limited to a few individuals.
Now, the largest difference between the two is that PII is not typically protected under HIPAA unless it can be somehow reverse engineered or connected to PHI. For instance, if you are conducting a marketing campaign for a new drug, then using information in your campaign that can be traced back to an individual would be in violation of HIPAA (as the usage of the drug may indicate a healthcare history or need). However, regardless of whether or not HIPAA applies, many local, state, and even national governments require privacy policies to be put in place which detail how private information may be used, and to require some form of consent from the person the PII is about.
How this affects your business’ software
One of the difficulties of maintaining privacy with software records and files is that software is extremely easy to duplicate, share, and even lose track of. Moreover, records or mirror duplicates may be created or backed-up without your knowledge (or simply forgotten/overlooked), and deleted data can often be retrieved by those with the know-how and tools. Digital information is also at risk of being stolen or illegally modified, and if not properly secured can pose a great risk to both the people involved and the business/organization handling the information.
For example, in 2019 the City of New Haven, CT, faced a $200,000 fine after a previous employee was able to copy the ePHI (electronic protected health information) of nearly 500 individuals. In another instance, the University of Rochester lost a flash drive and a laptop which contained unencrypted ePHI, and were fined $3,000,000 for their failure to maintain proper safeguards.
In other words, the U.S. Department of Health and Human Services (HHS) takes HIPAA violations very seriously, and even what may seem like a minor leak such as a misplaced flash drive could result in hundreds of thousands of dollars lost, alongside major negative publicity.
Moreover, accountability for such HIPAA violations does not extend to just your company and employees, but also to contractors, sub-contractors, subsidiaries, and beyond. For instance, if you are contracting with a datacenter to host your company’s information, including ePHI, and they undergo a hack which leaks this information- then you may also be liable for any potential consequences. The inverse may also be true, wherein you might be a software contractor and are given data that includes ePII and/or ePHI, wherein the manner in which you handle and secure that information is crucial to ensure HIPAA is not violated.
Some policies and requirements to keep in mind
Now knowing the risks involved with software when it comes to ePHI and ePII, here are some standard policies and HIPAA requirements that your company/organization should implement to maintain HIPAA compliance, alongside adherence to other privacy laws that your local government or state may enforce.
Business Associate Agreement
To help sustain legality and to protect yourself, you should ensure that any business associate you work with or contract with should sign some form of legal document that both states their intention to comply with HIPAA and also to take personal accountability for security failures on their part. This will help protect your business/organization if that associate somehow violates HIPAA or fails to protect against a security breach. In fact, HIPAA requires that all sub-contractors and similar should sign some form of HIPAA-complaint business associate agreement.
You should also ensure that any clients, customers, or even employees whose information (ePHI or ePII) may be shared with said business associate, consents to that sharing. Typically, this would be done in the initial contract agreement, wherein the reasons and circumstances wherein such information would be recorded and/or shared are explained.
Security Management
Your company/organization should maintain strict security policies whenever it comes to ePHI or ePII, wherein access is limited and controlled. Only employees with specific roles which need to access that information (such as a physician, or human resources officer) should have access to it, and their means of access should be secured (encrypted and password protected, preferably with some form of two-factor authentication).
There should also be policies in place that prevent or forbid staff and employees from sharing or viewing ePHI and ePII on one another’s computers or workstations (even in passing). You can help manage this by setting a policy of always locking computers and terminals when not in use, even if only for a short period (such as a restroom break). Automatic sign-outs or time-outs are also a good idea (for both the workstation and/or any apps/browser sites which may contain access to ePHI or ePII).
Staff with access to ePHI and ePII should also regularly receive training on how to handle such information, and how to maintain general software security policies (such as regularly changing passwords, not clicking unknown links in emails, etc.). You should also keep some form of log or record of when ePHI is accessed and by whom.
Another important, and often forgotten, software security practice is to ensure that old or inactive accounts are quickly disabled or removed, especially if they contain access to ePHI and/or ePII. Far too many businesses and organizations forget to maintain this security protocol whenever an employee is terminated or leaves the company (or is moved into a different department), leaving their credentials wide open to exploitation. If no one is actively monitoring their account and maintaining security (i.e., regularly changing passwords), then that account could be the gateway which allows a hacker, or someone else, to gain access to private information, potentially leading to major lawsuits and legal repercussions.
One easy way to help avoid such security failures is to hire or train an IT specialist who understands the risks associated with software and knows how to maintain a secure system. This specialist should be regularly monitoring all accounts and should be notified the moment there is a change that could affect security (such as someone leaving the company, requiring an account to be closed or disabled). They should also receive regular training and offer training to all employees who may have access to ePHI and ePII. While it remains the responsibility of business owners to maintain the safety of their company and employees, having a specialist who understands the tech, and proper safeguards, will help ensure that private data remains safe.
Finally, you should also keep a record of all hardware which contains ePHI and ePII, and maintain policies and procedures for sanitizing or wiping that information when required or requested.
Risk Assessment
Your company’s/organization’s IT specialist should also hold regular threat or risk assessment meetings with executives or managers, wherein they work to determine all possible ways a breach could occur. They should then plan efforts to prevent those breaches, and work to maintain the latest security methods. You should also create a contingency plan should a breach occur in order to ensure that the process of handling the breach goes smoothly and correctly.
Mobile Devices
One of the most common breach points where ePHI is stolen or lost is on mobile devices. This includes any smartphones, laptops, tablets, storage devices (flash/thumb drives), etc. This is especially true with privately owned devices not issued and secured by your business/organization. This typically comes down to the fact that such devices are easily stolen compared to desktop computers and servers, especially if they are often used in public spaces such as parks or coffee shops. One minute you could be paying full attention to your smartphone, and then in a brief few seconds of inattention someone swipes it. Worse yet, you may even still be signed into the device, meaning that all the information stored thereon, such as account details, images, videos, and more are all now easily accessible to the thief.
Now imagine the stolen smartphone contains ePHI of a client, or of your client’s client. Just like that, one small moment of inattention has resulted in what could end up being a multimillion-dollar lawsuit.
To help combat this issue, the easiest way to avoid losing ePHI and ePII on mobile devices is to not have any such information stored thereon at all, at least not on private mobile devices such as smartphones. However, in the cases where you are required to allow such, you are required by HIPAA to ensure that all necessary precautions were made to prevent access to that information, such as proper encryption protocols.
Encryption Requirements
Since we live in an imperfect world where sometimes bad things just happen, it is important in the eyes of HIPAA that we at least show that we tried to do everything we could to prevent potential violations.
This in mind, we can consider situations where a thief or hacker somehow manages to bypass our rigorous efforts to maintain security, perhaps even as severe as a break-in wherein a burglar may steal ePHI containing devices despite best efforts to secure your workplace.
While the break-in was certainly not your fault, it is still your responsibility to ensure that any stolen devices that contained ePHI were as secure as possible to help prevent the information from being discovered and/or leaked. To do this, you must maintain encryption standards for all ePHI/ePII data and files both while the information is sitting in storage and when it is being transferred from one location to another.
Typically, this means a NIST (National Institute of Standards and Technology) approved level of encryption whenever the information is outside of internal servers. Meaning that you must keep a standard of AES (Advanced Encryption Standard) when it is resting or sitting, and if it is in the act of being transferred, it needs to use TLS 1.2 (Transport Layer Security) or better. It is best to review the latest standards and recommendations set by NIST to ensure that you are maintaining an up to date and secure database, both internally and externally.
How to handle a breach
Unfortunately, regardless of your best efforts, a leak is still a possibility. Humans are infallible, and there are all sorts of criminals constantly seeking ways to compromise your business’ security so they can make a quick buck at your expense. Therefore, while you should do everything possible to prevent it, you must also be prepared in case it happens anyways.
HIPAA has a set of different requirements for notifying victims and handling PHI breaches based on the number of clients/users whose information was leaked or stolen.
Individuals (less than 500 people)
For breaches wherein the information of less than 500 people was stolen, leaked, or lost, businesses and organizations who are at fault must notify every involved individual within 60 days of the breach. The best way to do this is to send a first-class letter notifying the individual of the breach and the kinds of information that may have been stolen (be careful to avoid other HIPAA violations in so doing, choice of words is important). You should also include steps that the individual may take to help protect themselves as a result of the information being leaked, how you are going to investigate the cause of and mitigate damages from the breach, and how you are working to prevent such a breach from happening moving forward. In other words, you need to be up front with those the breach may have affected and inform them of how you are going to make it right (or as right as can be).
If you do not have reliable contact information for 10 or more individuals, then you must post a notice on the homepage of your website with HIPAA complaint details of the breach and keep it there for at least 90 days. You should also have a toll-free number which affected individuals may use to contact you in order to verify whether their information was part of the breach and what you intend to do about it (basically the same information that would’ve been in the letter).
Finally, you must notify the Secretary of HHS of that and any other breaches in a time period of at least once a year (typically within one year of the first breach).
More than 500 Individuals
Now, in a situation where 500 or more people are affected by the breach, then some additional steps must be taken. If those 500 individuals are within a single jurisdiction or state, then you are required to notify media outlets which service that jurisdiction or state so that they can prepare and release a press statement which outlines the breach (similar to the notice posted on your website). The reason for this is because many individuals may not have access to your website, or don’t visit it regularly, and it is far more likely that a public media press release will be noticed by them, allowing them to then contact you and to prepare themselves for any potential consequences of the breach.
Moreover, you must also notify the Secretary of HHS of the breach ASAP, within no more than a 60-day period.
Who and what else?
Once you have notified all affected individuals and made the necessary public statements about the breach, you also must notify any business associates within a 60-day period. This is extremely important to remember, as while legally it may have been the fault of one party, it may affect or be another party involved who actually collected the information and who the clients/users know to look to for notifications about the breach. For instance, if you contract with a data center to hold ePHI and that datacenter is hacked, then you are still responsible to ensure that all affected individuals are notified, as it is highly unlikely that your clients/users are going to recognize the datacenter or ever visit their website. Therefore, both you and the associate must work together to ensure notifications are sent and received.
Another important thing to note is that during this entire process, it is important to maintain documentation of how you handled the breach, handled notifying affected individuals, and how you intend to prevent such a breach in the future (including immediate changes). All such information may be invaluable to you should HHS or another entity choose to sue or audit you. If you manage to show that you did everything reasonably possible to prevent, notify affected individuals, handle the breach, and prevent future breaches, then you are far more likely to escape more severe repercussions.
You should also keep track of how you maintained security before a breach even occurs, including training, security procedures, etc., in order to prove that you were making a considerable effort before the breach happened.
In the end, despite all your efforts, sometimes there really isn’t anything you could have done- but it falls on you to prove that was the case. Often, however, you will find there was something that could’ve been done- which is why it is best to consider HIPAA compliance and all potential security violations sooner rather than later.
We are here for you
Still not sure where to go from here to ensure your company is HIPAA compliant? Well, luckily for you, Mindfire Tech is made up of a team of extremely experienced and talented software engineers who have been in the business for decades. Every member of our team understands the importance of security and works tirelessly to ensure our software is as up to spec as possible.
Whether you need your existing software updated or brand-new software, including apps, websites, or unique programs, Mindfire is ready to tackle your project; all while keeping HIPAA and all other important security standards at the forefront of our efforts.
Moreover, Mindfire offers fractional CTO / CIO services, wherein we can offer insights and help in ensuring your business/organization is up to par with the latest security standards and policies.
Just reach out through our contact-us page, and we’ll be happy to help in whatever ways we can!
Mindfire Contact-Us Page: CONTACT-US
If you want to learn more about HIPAA straight from the source, do check out HHS’ official website to learn all there is to know about how you can avoid a HIPAA violation and keep your client’s information safe.
HHS HIPAA Link: HIPAA WEBSITE