In the world of digital health, HIPAA kicks in when a digital health product handles Protected Health Information (PHI). But, what is PHI and how important is proving HIPAA compliance to an application developer?
There are several different categories of PHI, like someone’s name, home address, or phone number. When a digital health product stores, processes, or transmits PHI, HIPAA asserts rules for how it should handle a multitude of security, privacy, and policy procedures, called “controls”.
Demonstrating that your company and your digital health product meet all those controls is how you can call yourself HIPAA compliant. To get started down that road, application developers first need to understand the basic categories of HIPAA controls and which ones apply to their applications.
Understanding HIPAA controls
HIPAA controls can be conceptually organized into three levels: infrastructure, application, and company.
At the infrastructure level, compliance is very heavy on technology. Your organization needs to meet certain controls around encryption, backup and disaster recovery, OS hardening, and so on. It’s a robust list.
At the application level, compliance is more of a blend of technology and policy. Your organization needs to adhere to basic security and privacy best practices, i.e. don’t store plain text passwords. Some products exist to help these controls, but for the most part, it’s up to the organization to do the right things and to coordinate an external audit to prove compliance at this level.
There is also the broad concept of “access” that fits into this level: Does the product ensure that only authorized people have access to only certain sets of data? Oftentimes this is implemented using Access Control Lists, or ACLs. It’s a broad topic but is an important component to HIPAA compliance as well. Often a health organization—like a hospital trying to buy a digital health product—will do their own security audit to assess this level.
Related: Learn the why HIPAA Compliance should matter to healthcare developers in the comprehensive Digital Health Success Framework eBook.
At the company level, it’s about implementing administrative policies. Some products exist to establish and then continuously administer these controls. Datica open sourced our company policies under a creative commons license, which hundreds of organizations have used as a starting point for their own company-level policies used in their own audits.
Datica’s newly revised guide, HIPAA Compliance at the Application Level, dives into all the under-the-hood considerations you must manage at the application level to ensure your application meets the security requirements required for healthcare data. Follow this detailed guidance to get through an audit process and better engage with your healthcare customers.