HIPAA Compliance Checklist - Tech Solutions for Businesses

Learn about the requirements for HIPAA IT compliance. Pick technologies best suited for your software.
Nov 08, 2018

According to HHS, business associates are directly liable for violating the HIPAA Security Rule and Breach Notification Rule as well as certain provisions of the Privacy Rule.

If an implementation specification is described as “required”, it must be fulfilled. Addressable stipulations must be implemented if it is reasonable and appropriate to do so. Plus, the choice must be documented.

Business associates may use any technology solution to align with HIPAA requirements. In deciding which security measure to use, businesses should consider the following factors:

  • The size, complexity, and capabilities of their organization.
  • The technical infrastructure, hardware, and software security capabilities.
  • The costs of security measures.

Having analyzed our experience in healthcare development, we recommend the most suitable technical solutions to comply with HIPAA requirements.

Technical Safeguards

Description

Enable authorized users to access the minimum necessary information needed to perform job functions.

Implementation Specification
  • Unique User Identification (R)

    Description

    Assign unique IDs for indicating and tracking user identity.

    Tech.Solution

    1. Use the employee name or its variation (e.g. jsmith).
    2. A set of random numbers and characters (it is more difficult for an unauthorized user to guess, but may also be more difficult for authorized users to remember and management to recognize).
  • Emergency Access Procedure (R)

    Description

    Provide access to necessary ePHI during emergency conditions (when normal environmental systems, such as electrical power, have been damaged due to a natural or manmade disaster).

  • Automatic Logoff (A)

    Description

    Apply procedures that terminate an electronic session after a predefined period of inactivity.

    Tech.Solution


    1. Set a 10-minute period of inactivity after which the system will automatically be locked. In case the device is in the high-traffic area, establish a timeout of 2 to 3 minutes. Equipment used in protected areas with controlled, limited access, such as a lab or an isolated office, could have longer timeout periods.
    2. Activate an operating system screensaver that is password protected after a period of system inactivity.
  • Encryption and Decryption (A)

    Description

    All collected and stored ePHI should be encrypted and decrypted by the person with the appropriate keys.

    Tech.Solution

    1. Store the sensitive data in a secure environment with the proper physical and network security.
    2. Choose file/folder level encryption and full disk encryption for storing confidential info on mobile devices.
    3. Do not store the password to the PGP or S/MIME key in your system.
    4. Recommend your system visitors to enter the password and use cookies to keep the password from page to page.
    5. If you store ePHI in a MySQL database you should ensure that the password to that database is not stored in your system.
    6. Encrypt the data before saving it in the database for extra security stages.
Description

Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.

Description

Protect ePHI from improper alteration or destruction in an unauthorized manner by both technical and non-technical parties. Thus, workforce members may make incidental changes that improperly alter or destroy ePHI. Data can also be compromised without human intervention that includes electronic media errors or failures.

Implementation Specification

Mechanism to Authenticate Electronic Protected Health Information (A)

Description

Implement electronic mechanisms to protect ePHI from alteration or destruction by a virus or other malicious code.

Tech.Solution

Backup the information in the DB and store it on an external cloud service. Block Storage

Description

Verify that a person or entity seeking access to ePHI is they claim to be.

Tech.Solution
  1. Require something known only to that individual, such as a password or PIN.
    • The password should be the longest possible (between six and 10+ characters) including a combination of numbers, special characters, and a mixture of upper and lower case letters.
    • It should be changed at least every six months or whenever the password becomes known to the other person. And current or previous passwords could not be reused.
    • It is possible to implement functionality that will control the password expiration. This logic will prevent users from logging in with an expired password and force them to change it.
  2. Require using a physical device such as a token, or telephone callback function.
  3. Require something unique to the individual such as a biometric (e.g. fingerprints, voice patterns, facial patterns or iris patterns).
  4. Use two-factor authentication:
    • By SMS/push notification, a person using a username and password to log into a database also has to insert a PIN code to confirm their identity.
    • The request of a fingerprint scan (biometric) with the further entering of a password.
    • Integrate with Google Authenticator or similar service.

For iOS
For Android

Description

Prevent unauthorized access to ePHI that is being transmitted over an electronic communications network.

Implementation Specification
  • Integrity Controls (A)

    Description

    Ensure that ePHI is not improperly modified during transmission (it applies to all individual health information that is maintained or transmitted).

    Tech.Solution

    1. Use network communication protocols.
    2. Secure your web-solution with an SSL, PGP or AES encryption.
      SSL Certificates! Do not use FTP to transfer patient data to/from payers and other medical organizations. Choose SFTP instead.
  • Encryption (A)

    Description

    Communication containing PHI (either in the body or as an attachment) that goes beyond an internal firewalled server should be encrypted. It should also be considered that emails containing PHI are part of a patient´s medical record and should, therefore, be encrypted and backed up.
    This applies to any form of electronic communication - email, SMS, instant message, etc.
    The encryption requirements apply to every part of the IT system, including servers like Amazon Cloud or Microsoft Azure.

    NIST recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption, OpenPGP, and S/MIME.

Physical Safeguards

Description

Limit physical access to the electronic information system, while ensuring that properly authorized access is allowed.

Implementation Specification
  • Contingency operations (A)

    Description

    Allow facility access to the physical office and stored data even during an emergency.

  • Facility Security Plan (A)

    Description

    Define and document the use of physical access control to protect equipment that stores ePHI from unauthorized access and theft.

  • Access Control and Validation Procedures (A)

    Description

    Control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.

    Tech.Solution

    Log all the server actions.

  • Maintenance Records (A)

    Description

    Communication containing PHI (either in the body or as an attachment) that goes beyond an internal firewalled server should be encrypted. It should also be considered that emails containing PHI are part of a patient´s medical record and should, therefore, be encrypted and backed up.
    This applies to any form of electronic communication - email, SMS, instant message, etc.
    The encryption requirements apply to every part of the IT system, including servers like Amazon Cloud or Microsoft Azure.

    NIST recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption, OpenPGP, and S/MIME.

    Tech.Solution

    In a small office, documentation may simply be a logbook that notes the date, reason for repair or modification and who authorized it. In a large organization, various repairs and modifications of physical security components may need to be documented in more detail and maintained in a database.

Description

Restrict the use of workstations that have access to ePHI. Specify the protective surrounding of a workstation. Regulate how functions are to be performed on the workstations that can access ePHI.

Implementation Specification
  1. Automatic logoff
  2. Use and continually update antivirus software.
  3. Configure web filtering
Description

Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users.

Description

Manage how ePHI is transferred/removed/disposed from the mobile devices if the user leaves the organization or the gadget is re-used, sold, etc.

Implementation Specification
  • Disposal (R)

    Description

    The data can be permanently disposed of when needed. Yet, you will have to consider all the places where data can be archived, and you will need to ensure that all of those backups will expire and disappear.

    Tech.Solution

    Block Storage

  • Media Re-use (R)

    Description

    Remove ePHI from electronic media before the media are made available for reuse.

    Manual removal of patient data in electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory media, such as backup tape, optical disk, or smart card.

  • Accountability (A)

    Description

    Maintain a record of the movements of hardware and electronic media and any person responsible therefore.

  • Data Backup and Storage (A)

    Description

    The HIPAA Rules do not dictate where ePHI may or may not be maintained. Thus, BAs are not prohibited from storing PHI outside of the United States (though there are other laws that may restrict the practice of storing PHI offshore; for example, some state Medicaid programs prohibit the offshoring of Medicaid data).
    ePHI that is collected, stored and used within your solution has to be backed up. The reserved copy should be stored in a secure environment and according to the best practices, it should have several backups that are stored in different locations.
    Also, the copy should be readily retrievable if the hardware or electronic media is damaged.

    Tech.Solution

    1. Automatic data backup.
    2. Email archiving.

Administrative Safeguards

Description

Administrative Safeguards fall out of the realm of software development, however, there are mandatory guidelines for any business that works with health information. Administrative security tasks involve:

  • Appoint security officers who will regularly perform the risk assessment.
  • Introduce risk management policies and procedures.
  • Train employees on identifying potential cyber attacks and document all training.
  • Restrict third-party access to ePHI.
  • Develop a contingenсy plan to protect the integrity of ePHI, consider data backups and procedures to restore lost data in case of emergency.

HIPAA Privacy Rules

Description

HIPAA Privacy Rules refer to the use and disclosure of PHI and apply to any healthcare organizations and their business associates. According to the rules, BA may not use, access, or disclose PHI without the patient's consent, except for purposes of treatment, payment or certain health care operation; certain public safety and government functions, including: reporting of abuse and neglect, responding to government investigations, or disclosures to avoid a serious and imminent threat to the individual. However, before making disclosures for such purposes, BA should consult with CE.

Tech.Solution

The app shall have a section (tab, button or equivalent) or active link to its Privacy Policy, and owner represents that commercially reasonable efforts are used to notify users of any material changes to its Privacy Policy.
Limited data set.

HIPAA Breach Notification Rules

Description

Require BAs to promptly notify the Department of Health and Human Services of small security breaches within 60 days after the breach is discovered. Larger breaches (affecting 500+ patients) must also be reported to the media. Plus, BAs must notify their CE, which in turn must notify the individuals.

Breach notifications should include the following information:

  • The nature of the ePHI involved, including the types of personal identifiers exposed.
  • The unauthorized person who used the ePHI or to whom the disclosure was made (if known).
  • Whether the ePHI was actually acquired or viewed (if known).
  • The extent to which the risk of damage has been mitigated.

In all cases, patients must be notified and informed of steps they can take to mitigate potential damage.

Tech.Solution

Prepare a mass mailing plan for this contingency.

Maintain Required Documentation

Description

Maintain the documents required by the Security Rule for six years from the document’s last effective date. Ensure that you have written training standards as well as written penalties that employees are informed of in the case of a violation.

Blog writers

Subscribe to Belitsoft's Blog for Entrepreneurs

Join successful software startup founders! Get insights from growing companies like, where to get an idea, how to validate it, how to launch, and how to hire people - everything. Enter your email address below (no spam):

Email *

RECOMMENDED FOR YOU

Lead Generation Design of The Best SaaS Websites

If clothes make the man, the design makes the website. That's where potential customers start evaluating a product. The SaaS website can (and should) be an online lead-generation machine, so each component of it has to be as good as possible. As people generally remember the first and the last thing they see, having impressive header and footer can go a long way towards making your product successful. What do some of the best SaaS companies do with their websites’ headers/footers? Look at this list to get and keep in mind some ideas for custom software development while building or redesigning your SaaS website. ...

PHP 7 vs Node.js

Our team is experienced both in PHP programming and Node.js development. We have a portfolio with both PHP-based applications and Node.js-based applications as well as mixed ones. What do we take into account when considering which tool to use in custom software development? ...

The Top 10 Advantages Of Laravel for Cost-Effective Web Development

Laravel framework is very popular for custom software development. It is the Most Starred PHP Framework on Github: more than 35 000 developers from all over the world (mostly from the USA) greatly appreciate robust features of this platform. Based on data of the BuiltWith, Laravel's popular websites verticals include Business, Entertainment, Media, News, Shopping, Technology, Vehicles. Why is Laravel so popular? ...

100% Remote Million-Dollar SaaS Companies

Companies that hire remote (distributed, virtual, dispersed, or dedicated) workers and do it well seem to have a huge leg up on the competition. Let’s learn how these successful SaaS companies use global talents to increase software quality and reduce the cost of rent and office supplies: Basecamp, Buffer, Chargify, Convertkit, Ghost(pro), Groove, Hubstaff, Invision, Olark, and Zapier. As the company where you can find a remote PHP developer, we believe that you could utilize their experience and expertise to build your own full remote SaaS company. ...

SaaS Founders Who Became Rich Starting With MVP

Belitsoft has a huge experience in MVP software development for startups and prototypes for existing brands. MVP is a minimal version of the product with the minimum set of features that is enough to deploy and test the key hypothesis to solve problems of this product’ potential customers. Experts suggest that, in B2B, it’s not an MVP until you sell it. Viable means you can sell it. ...

Profitable SaaS Startup Ideas

The way to get profitable startup idea is not to try to think of startup ideas (including SaaS development). It's to look for problems, preferably problems you have yourself.  In fact, for many entrepreneurs, successful business ideas start out as solutions designed to address a challenge they face personally. Solving the problem that frustrates you may be one of the best ways of finding an idea for your startup. Look at these software developers who turned their problem into success.  ...

Get A Free Quote

Do you have a software development project to implement? We have people to work on it.
We will be glad to answer all your questions as well as estimate any project of yours.
Use the form below to describe the project and we will get in touch with you within 1 business day.

Call us:
Phone - USA
Phone - BELARUS
Skype
EMAIL US:
Contact form