Is your healthcare project HIPAA compliant?

Is your healthcare project HIPAA compliant? Banner

Information Technology professionals specializing in the healthcare industry are highly sought-after, requiring responsible and highly-trained engineers. The reason is clear. A patients’ contact information, medical histories, laboratory results, insurance information are only a part of a long list of records included in health care records, and a security breach can be devastating to a business. According to open statistics, Cyberattacks in healthcare services has grown by a staggering 125% during the past 5 years mostly due to human errors in security. This might explain why healthcare organizations are constantly monitoring and increasing security of sensitive data.

A knowledgeable development team working in the healthcare industry uses only safe storages and provides protected access to patients’ data. As not every cloud storage and encryption method is sustainable in the context of confidentiality, special federal standards were created and must be followed when creating a protectable electronic service. These standards are known as HIPAA and include different recommendations on how to provide the highest protection for sensitive information (health status, provision of health care, payments linked to an individual, etc.).

HIPAA (Health Insurance Portability and Accountability Act) defines policies, procedures and guidelines for maintaining the privacy and security of individually identifiable health information as well as outlining numerous offenses relating to health care and sets civil and criminal penalties for violations. Since 2013, HIPAA also requires security compliance of Protected Health Information (PHI) and Business Associate’s Agreements (BAA). PHI implies any information about a patient’s health status. It may include names, contact info, diagnostics results, medical history, patient’s photos, payment accounts, health insurances, etc. This information is not disclosed to unauthorized person. When this information is stored or transferred in electronic form, it is usually referred to as electronic protected health information, or e-PHI. 

What is required according to HIPAA?
Taking into account that any health care application architecture normally entails big data storage, HIPAA compliant storage platforms should be used. Some of the storage providers claim to satisfy HIPAA requirements, however, one should always pay attention to what storage features are needed to comply. Some well-known cloud storage services, such as Amazon Web Services, are not initially HIPAA compliant, however they can be configured comply with HIPAA rules. While choosing a cloud provider, developers should ensure that all HIPAA standards are satisfied, and that even metadata of storage does not contain information about patients (e.g. their names). 

The summary of requirements according to HIPAA compliance. 
• Administrative safeguards
are about creating and updating documentation describing all procedures that regulate access to PHI, providing appropriate authorization, supervision and training of personnel, and evaluating how well security policies meet those requirements.
• Physical safeguards mean limited and authorized only facility access. All entities that take part in operations with e-PHI, such as transferring, removing, re-using, sensitive data, must have policies about usage and access. 
• Technical safeguards include unique user IDs, an emergency access procedure, automatic log-off, encryption and decryption. The hardware and software activity reports should be recorded to identify any security violations. Technical safeguards should include disaster recovery backup solutions for quick and accurate information restoring.
• Transmission security protects e-PHI against unauthorized public access and relates to all data transmission methods.

Read more about HIPAA regulations on the official website.  

HIPAA regulations may be updated, so the selected cloud and backup storage providers should guarantee compliance with new versions of regulations. To prevent breaches of information, it is obligatory to regularly review all types of safeguards. But the good thing is that the healthcare application engineers now can use security risk assessment tools specially-developed for HIPAA by HHS. 

At Svitla Systems, when providing services to the health care customers, we assign only developers who are aware of HIPAA requirements for data storage and encryption. Working with developers experienced in healthcare applications mitigates risk while providing the highest level of expertise for our customers. 

September 13, 2016