April 2, 2019

What’s an Application Developer's Responsibility for HIPAA?

Laleh Hassibi

Vice President of Marketing

In the world of digital health, HIPAA kicks in when a digital health product handles Protected Health Information (PHI). But, what is PHI and how important is proving HIPAA compliance to an application developer?

There are several different categories of PHI, like someone’s name, home address, or phone number. When a digital health product stores, processes, or transmits PHI, HIPAA asserts rules for how it should handle a multitude of security, privacy, and policy procedures, called “controls”.

Demonstrating that your company and your digital health product meet all those controls is how you can call yourself HIPAA compliant. To get started down that road, application developers first need to understand the basic categories of HIPAA controls and which ones apply to their applications.

Understanding HIPAA controls

HIPAA controls can be conceptually organized into three levels: infrastructure, application, and company.

At the infrastructure level, compliance is very heavy on technology. Your organization needs to meet certain controls around encryption, backup and disaster recovery, OS hardening, and so on. It’s a robust list.

At the application level, compliance is more of a blend of technology and policy. Your organization needs to adhere to basic security and privacy best practices, i.e. don’t store plain text passwords. Some products exist to help these controls, but for the most part, it’s up to the organization to do the right things and to coordinate an external audit to prove compliance at this level.

There is also the broad concept of “access” that fits into this level: Does the product ensure that only authorized people have access to only certain sets of data? Oftentimes this is implemented using Access Control Lists, or ACLs. It’s a broad topic but is an important component to HIPAA compliance as well. Often a health organization—like a hospital trying to buy a digital health product—will do their own security audit to assess this level.

Related: Learn the why HIPAA Compliance should matter to healthcare developers in the comprehensive Digital Health Success Framework eBook.

At the company level, it’s about implementing administrative policies. Some products exist to establish and then continuously administer these controls. Datica open sourced our company policies under a creative commons license, which hundreds of organizations have used as a starting point for their own company-level policies used in their own audits.

Datica’s newly revised guide, HIPAA Compliance at the Application Level, dives into all the under-the-hood considerations you must manage at the application level to ensure your application meets the security requirements required for healthcare data. Follow this detailed guidance to get through an audit process and better engage with your healthcare customers.

tag HIPAA Digital Health Success Framework Apps mHealth

Related

The Internal ROI of HITRUST

Travis Good, MD

Co-founder, CEO & Chief Privacy Officer

As demonstrated in many ways here at Datica, there is a clear ROI with leveraging HITRUST as your anchoring compliance framework.

event-note October 9, 2018

What is the cost of a HIPAA audit?

Travis Good, MD

Co-founder, CEO & Chief Privacy Officer

The cost of a HIPAA audit depends on audit type – HIPAA gap assessment, full HIPAA audit, or validated HITRUST assessment – and indirect costs like time.

event-note January 23, 2019

2019 Predictions: The Patient Context War

Travis Good, MD

Co-founder, CEO & Chief Privacy Officer

The demand for clinical data for both data-driven analytics and powering new workflows is fueled by the concept of adding “patient context” to digital products in 2019.

event-note February 21, 2019

Announcing the Future of Cloud Compliance: The Datica Cloud Compliance Management System

Ryan Rich

Chief Product Officer

We're pleased to announce the Datica CCMS — our latest and most flexible product that has an eye on the future.

event-note October 3, 2018