How to be HIPAA compliant - a guide to HIPAA compliance
HIPAA compliance for digital health startups and businesses in healthcare and related industries
We’re a software development company, and one of our main expertise is in the healthcare industry. We build software suits for hospitals, mobile apps for patients, and give startups we’re cooperating with our brilliant engineers’ tech skills and our ten years of experience in building for this field.
Healthcare as a software market is often characterized as: extremely attractive to cybercriminals; very hesitant in adopting new technologies; full of regulations. HIPAA Rules are one of these regulations, and compliance with HIPAA Rules will help you tackle two other issues - at least partially. How?
Stakeholders are often worried about software developers building products that are not secure enough, and that’s one of the reasons they’re slow to adopt new things. Cybercriminals think that healthcare is an easy goal because their organizations’ software is full of vulnerabilities.
HIPAA Rules is what makes your organization secure, and it’s obligatory to comply with them if you want to operate in the USA market. Our guide will help you understand how to be HIPAA compliant.
Who's the guide for HIPAA compliance for
Startups in healthcare and other industries who work or plan to work with people’s health data
Software vendors that plan to work with healthcare organizations - or any other organizations that work with patients’ health information
Healthcare organizations (hospitals, clinics, private cabinets, clinical research organizations, laboratories, and so on) that plan to adopt/are already adopting new software
Developers of wearables and other IoT devices with the function of gathering people’s data and vitals (like heart rate) and/or other data classified as personal health information and plan to transmit it out of user’s connected devices
Why you need this guide
Move towards compliance
This guide isn’t a guarantee of HIPAA compliance: it’s a handbook that tells you where to focus on and what to do to establish it. There are lots of misunderstandings concerning HIPAA, especially in software development circles. Vendors who work for healthcare often don’t even know these rules exist (we’ve created this guide for them, too.) If you want to build solutions - desktop software, mobile apps, IoT devices, and so on - for healthcare, you have to do it in a HIPAA-compliant way, and this guide will give you direction on how to do that.
The security of solutions software vendors offer is one of the main concerns for healthcare stakeholders. Our guide will help you to address these concerns from the start and deepen the understanding of the challenges healthcare organizations face every day. Long-term cost-efficiency and reduced impact of disruptions that are caused by data breaches and other security incidents are some of the main sales points you can use if the software you’re building is truly reliable.
Even if you don’t live in the United States and don’t need to comply with HIPAA, recommendations and explanations that are covered in this guide are written to help you build a secure organization (because it’s not about secure software, only; it’s about the company that builds the software.) Most countries all over the world have some sort of regulations concerning people’s health data protection, and you’ll find our guide useful for planning your security strategies.
Foundation for secure future innovations
The guide will help you to start laying down a secure infrastructure for your digital healthcare product, as opposed to layering security in the middle or after the development. This, subsequently, will help you to build future features and functionality with patient info's safety in mind. Cybersecurity is often overlooked even in the most popular tech, and it's vital to build a foundation - both on the software level, and on the level of business - that is ready to predict threats and/or react to them quickly and efficiently.
American healthcare market
If you’re a startup or a company that plans to expand its market reach to America (or a business that just plans to create a product that will, when scaling, expand to America), you’ll find our guide useful because HIPAA compliance is the first necessity for digital health products in the USA. HIPAA compliant companies will also have an advantage in preparing to get FDA approvals (or ISO certification outside of America, for that matter), as the requirements for these partially overlap with HIPAA recommendations.
An easy-to-read guide to HIPAA
We found reading of official documentation quite demanding in terms of style and usability, so we wrote this document in simple, straightforward language. We still recommend you to check official info on the HHS website, but our guide for compliance is a good getting-started point in terms of understanding HIPAA Rules, what they cover, and what to do to follow HHS’ recommendations.
What this guide covers
- A classic definition of HIPAA, type of organizations that should comply with HIPAA rules, the definition of personal health information (PHI), and explanations of what can and cannot be considered PHI.
Breaking down HIPAA Security Rule, the most important rule for companies that plan to develop software that, in any way, interacts with PHI.
2.1. Technical safeguards (or developer’s guide to HIPAA compliance)
How to protect your organization and the data of your users through access control, emergency access procedures, encryption and description, automated logouts, strong password policies, and protection, verified authentication; The necessity of conducting technical audits; How to protect data integrity: protect your files from unauthorized access, track any disturbances in the system. Software recommended using when protecting health data; How to protect the transmission of PHI; Other security recommendations that will tell you how to build HIPAA compliant software for healthcare.
2.2. Administrative safeguards (or how to be HIPAA compliant IT business)
Recommendations on security management, risk assessment, and threat response; Strategies for evaluating the volume/impact of a threat; The role of a security officer and privacy officer within your organizations, as required by HIPAA; Workforce security and how to avoid human errors when hiring new employees and subcontractors; How to choose software vendors, partners, or developers of third-party solutions for your software and don’t put your users’ data at risk; Cybersecurity training and employee’s awareness: how to build training that works, how to engage employees, and what to do; How to respond to security incidents and how to ensure your employees know how to use the incident response process, too; Tools that help to establish HIPAA compliance and data protection through paid and open-source solutions; Contingency plan in your risk management strategy.
2.3. Physical Safeguards
How to make your facility, equipment, and devices you use HIPAA-compliant.
- Specifics of HIPAA breach notification rule: how and when to report breaches if they occurred.
- Guide for building HIPAA training that works with best practices and worst practices
- What changes to expect in HIPAA regulations in 2021?
- Frequently asked questions about HIPAA and HIPAA compliance (if you have a question we haven’t answered here, please write to us so we include an answer in the whitepaper's next edition.)
On HIPAA and cybersecurity in healthcare
According to VMware Carbon Black researchers, cybercriminals conducted about 239.4 million attacks in the healthcare industry in 2020. That's a significant increase from the past years.
Healthcare has always been a target for cyberattacks, a sweet spot with outdated software and invaluable data -- people's health information. Trustwave says that one person's health record can be sold for $250 per one, whereas for payment cards hackers can get only $5.4. They can use data to steal your identity and money, occupy your accounts and conduct other attacks from your standpoint, harm rival organizations, or just - harm organizations, in one word, create lots of problems for you and your business.
American lawmakers came up with a controlling system to make hospitals and companies that collaborate with them protect themselves and their patients from cybercriminals.
Sadly, that created another sore spot for the industry: healthcare organizations are often huge and complex, and lives depend on them. It's hard to change things smoothly -- which is why, for instance, about 20-40% of hospitals still run on Windows 7, an operating system that doesn't have Microsoft support anymore and, therefore, is inherently vulnerable.
40-60% of clinicians don't receive cybersecurity training, which results in them sending personal health data over an email, connecting their iPhone with the application that contains health data to free WiFi, and installing passwords like 12345678. Of course, this results in data breaches. For each breached health record healthcare organizations and their business partners pay to OCR, and then, per request, to patients whose data privacy has been breached.
Healthcare loses millions because of cybercriminals. That's why cybersecurity and HIPAA compliance is a must for every organization that works within the edges of the industry.
But cybercrimes don't just cost money. They disrupt and twist hospital processes, which causes delays in diagnosis, treatment, and eventually might be fatal. Ransomware attacks stop hospitals' systems for days, and patients are the ones who suffer the most. And ransomware is most commonly transferred to emails; emails employees open, click on, and download attachments from. HIPAA rules cover this and other ways hackers access information and point out recommendations to prevent them from it.
Software developers that work with healthcare and handle patient health information must sign a business associate contract that will make them an entity HIPAA covers. These companies will have to conduct HIPAA training and create audits, too. These companies will have to pay for breaches to OCR.
They - we - and, possibly, you - have a responsibility to build healthcare software as secure as possible. Our guide explains where to focus your attention.
What this guide is not
A guarantee that no one would target your organization or hack into your users/patients’ data
A guarantee that, when OCR comes to audit your company, you will pass