LegalReader.com  ·  Legal News, Analysis, & Commentary

Business

Healthcare App Development: the Issue of Compliance with HIPAA Requirements


— April 17, 2020

Complying with HIPAA rules can seem quite a challenge at first sight. We hope our recommendations will help you work out the right approach.


Developing a healthcare app is a responsible and complicated task. When it comes to human health and life, errors are inexcusable. However, there is another serious problem: according to the current legislation, each company, individual or software product dealing with medical information storing and processing must comply with the requirements of HIPAA. If you are scratching head over this issue, it’s time to slice and dice it!

What Is HIPAA?

The Health Insurance Portability and Accountability Act known as HIPAA is a law aimed at the protection of personal and medical data of those getting medical services. It covers the companies that deal with processing or storing ePHI (Electronic Protected Healthcare Information) and/or eHRS (Electronic Health Records). These include providers of healthcare and medical services, insurance companies, and clearinghouses. Not just these entities themselves, but also their business partners must comply with the requirements of HIPAA. We’ll review only those requirements that are applicable to healthcare software developers.

Violation of HIPAA Requirements: What Are the Penalties?

Everyone thinking of creating a healthcare app should be aware of huge fines imposed for HIPAA requirements violation. The fine size can vary depending on the severity of the violation and its consequences.

  1. Unintentional violations that couldn’t be prevented or avoided due to the violator’s ignorance. The violator fixed the problem after being informed of it. The fine varies from 100 to 5000 USD for one violation but can’t exceed 1.5M USD per year.
  2. Unintentional violations that occurred due to the violator’s ignorance. The violator couldn’t fix the problem even after being informed of it. The fine varies from 1000 to 5000 USD for one violation but can’t exceed 1.5M USD per year.
  3. Intentional violations that occurred due to willful neglect of the requirements. The violator fixed the problem within 30 days of being informed of it. The fine varies from 10 to 50 thousand USD but can’t exceed 1.5M USD per year.
  4. Intentional violations that occurred due to willful neglect of the requirements. The violator didn’t fix the problem within 30 days of been informed of it. The fine starts from 50 thousand USD but can’t exceed 1.5M USD per year.

Three Main Rules of HIPAA

Graphic of basic HIPAA components, courtesy of author.
Graphic of basic HIPAA components, courtesy of author.

For a healthcare software development company, it’s crucial to focus on three main components of the HIPAA. Here they are:

  • Privacy, which relates to the patients’ personal information protection. Apart from personal data (name, surname, SSN), it includes all information about the patients’ health state, medical services used, and payments for these services.
  • Security, which is about the methods of ePHI protection and minimizing the risks of theft and fraud.
  • Breach notification, which obliges the company to reveal the information of data leakage to patients, HHS, and media.

When developing a healthcare app you should think of compliance with these basic requirements.

Technical Aspects to Consider

To guarantee compliance with HIPAA requirements, a software developer must foresee and eliminate potential risks. From a technical point of view, the main aspects to consider are the following.

  • Protection from unauthorized access. Apart from a simple authorization system, think of a two-step verification and a smart system for managing medical information disclosure.
  • Strong encryption methods. To guarantee reliable protection of the transmitted information, make sure it is encrypted with advanced algorithms.
  • Keeping track of user logs. This helps detect and prevent unauthorized access and figure out the violator’s IP-address faster.
  • Auto log-off. This is a useful feature that is activated when a user is away for some time. It prevents unauthorized access in case someone forgot to log out of the app before leaving.

Administrative Aspects to Consider

Even a technically perfect app can become vulnerable when managed and used improperly. To minimize the risks caused by a human factor, undertake some basic precautionary measures.

  • Risk management. You must figure out all potential risks and work out the best solutions for every possible scenario.
  • Employee training. Make sure your employees are aware of the HIPAA requirements and the risks associated with their violation.
  • Excluding unauthorized access. You need to narrow down the range of individuals and entities having access to the app. Don’t forget about official agreements with your business partners who will have access to sensitive information.

Common Mistakes That Result in HIPAA Requirements Violation

Even a small mistake can cause huge problems. Let’s review some common mistakes in the field of healthcare information processing.

  • Improper information storage and disposal. It’s not recommended to store any sensitive information on paper or digital media. If you do so, make sure you dispose of it timely and correctly.
  • Relying on your partners’ honesty. Your business partners must not get more information that the contract agreement allows.
  • Occasional data leakage. Your employees should avoid telling or spelling patients’ names and their health conditions when somebody else is around.
  • Loss of ePHI and eHRS. Instead of storing information on hard drives that can be broken, lost or damaged, consider buying some HIPAA cloud space. This is the best way to comply with their requirements.

Complying with HIPAA rules can seem quite a challenge at first sight. We hope our recommendations will help you work out the right approach.

Join the conversation!