Editor’s note: In the article, Natallia shows how to make healthcare software HIPAA-compliant following the example of 2 ScienceSoft’s healthcare IT projects. She also shortly covers common measures to achieve HIPAA compliance and dispels several myths related to HIPAA-compliant software. If you are looking for help in developing secure software for healthcare, you are welcome to consider ScienceSoft’s healthcare software development offering.
Throughout my practice, the HIPAA compliance issue has always been burning in the healthcare industry. Be it a healthcare provider or a software product company, or a medical device manufacturer, our customers always want to be sure that we can make their software HIPAA-compliant. So, based on ScienceSoft’s 15-year experience in developing and implementing medical solutions, I’d like to discuss how to make software meet HIPAA compliance.
I always recommend the following measures to achieve the HIPAA compliance of healthcare software and security of PHI (protected health information):
- Data encryption – translating the patient data in transit and at rest into the form that cannot be decrypted by unauthorized users or users who do not have an encryption key. There are lots of data encryption types, for example, file-level, block-level, etc.
- Data access control measures – setting up user roles, user authentication, access rights, action permissions, automatic logoff, etc. Such measures help restrict system access according to particular permissions for user roles established, so you can achieve the patient data privacy and minimize the possibility of its leakage.
- Security audit procedures – regular security measures such as vulnerability assessment, penetration testing, continuous system monitoring, etc.
You can find more details on these measures in the recent article by my colleague Alena Niluliak, ScienceSoft’s healthcare IT consultant.
Let’s see how the principles of HIPAA compliance can be realized in real-life software development projects.
ScienceSoft designed an Android telehealth application for Chiron Health, a widely known telemedicine platform for medical video appointments. The app enables patients to book appointments and get medical consultations by their physicians via the audiovisual channel. To ensure HIPAA compliance of the telehealth app, we applied:
- Password protection.
- Establishing user roles (a patient, a physician, an admin) with particular permission settings.
- Logging via email/phone verification code.
- In-transit encryption of peer-to-peer video connection using the HTTPS protocol for communication with the server.
ScienceSoft developed an iOS mobile application for a European provider of mobile patient engagement software. The mobile app provides inpatients with secure access to their health history, lab results, medications, enables communication with caregivers and entertainment activities. Here are some of the measures we applied to make the app HIPAA-compliant:
- PIN code protection (set up by a patient’s case manager).
- Establishing user roles (a patient, a physician, a nurse, a case manager) with particular permission settings.
- Establishing secure communication channels (text, image, and voice messages, video conferencing) with the help of in-transit data encryption.
HIPAA certification is obligatory to ensure or prove HIPAA compliance
There are plenty of HIPAA certification proposals on the market, which mislead many companies. Some think that these HIPAA compliance certificates are official documents, and it’s obligatory to have them. In reality, these HIPAA certification results are not legally recognized by the US government. Mostly, such proposals are third-party HIPAA compliance testing or training services that are optional, according to the HIPAA Security Rule.
HIPAA-compliant software ensures HIPAA compliance of an organization
Be it a telehealth app or a patient portal, a HIPAA-compliant healthcare solution is only a part of your internal digital and administrative system. In order to make your entire organization HIPAA-compliant, you need to create a HIPAA-compliant environment where all safeguards of internal processes (digital, administrative, technical, etc.) are set up. And a properly implemented and configured HIPAA-compliant solution can become a reliable part of your organization’s overall environment.
HIPAA violations can cause multimillion-dollar fines, harm your public image and trust of your patients or customers. To avoid these troubles, I recommend you to choose a professional vendor with rich experience in delivering HIPAA-compliant solutions. So, if you consider developing HIPAA-complaint software, you’re welcome to turn to ScienceSoft’s healthcare IT team.
Looking for a solution to your healthcare IT challenge? Our experienced healthcare consultants are here to help.