As efforts to improve healthcare quality continue, many providers seek to deliver health solutions to their patients.
These software solutions increase patient engagement through mobile apps, patient portals, and similar applications.
And health apps are skyrocketing.
Deloitte Global predicts that mobile mental health applications alone will bring in close to $500 million this year.
More than 60 percent of mobile users in the US have already downloaded some kind of mobile health (mHealth) app.
And it’s not just the mobile app market that’s booming.
A Grandview Research study estimates that the healthcare IT market will grow from 21 percent to 32 percent in the next five years.
This rapid-growth market may be tempting your organization to develop its own healthcare software.
Whether you partner with a healthcare software development company or have an internal team build the app, the final product must comply with health industry regulations. And in the US, that means HIPAA and HITECH.
This article looks at what it takes to build a healthcare app that ticks all the boxes on the HIPAA compliance checklist.
Who Needs HIPAA Compliance?
HIPAA compliance applies to any HIPAA Covered Entity or Business Associate with access to Protected Health Information (PHI).
A Covered Entity can be a physician, a clinic, a health insurance provider, or a healthcare clearinghouse. You can find a full breakdown on the HHS website.
A Business Associate is any person or company that works with a Covered Entity and has access to PHI. Covered Entities can share PHI with a Business Associate only to help the Covered Entity provide healthcare and “not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate.” Again, a more detailed discussion can be found on the HHS website.
What Happens if an App Isn’t HIPAA Compliant?
The penalties for violating HIPAA depend on the nature of the violation, the level of responsibility, and the transparency and help given to HHS during their investigation of the breach.
The penalties are outlined in the HITECH Act and increase every year. Currently, the fines range from $10,000 up to several million dollars.
In addition to the financial impact, a HIPAA violation can significantly damage the app’s reputation and even the reputation of the business and its leadership. HHS inspections can examine every layer of the company, potentially exposing more violations.
What Are the HIPAA Compliance Requirements?
The HIPAA compliance requirements are a set of rules and guidelines put in place to protect PHI and maintain patients’ privacy.
Like any industry regulation, the HIPAA guidelines can be challenging to understand. To help clarify what you need to do to make your app HIPAA certified, let’s look at the rules for software solutions.
The HIPAA Security Rule
The HIPAA Security Rule establishes national standards for securing PHI when it is created, received, used, or maintained electronically by a Covered Entity. HIPAA security rules define three standards of safeguards that you must follow.
Administrative Safeguards: These safeguards define the standards for security management practices (i.e., risk analysis, risk management), assigned security responsibilities, workforce security, security awareness and training, and information access control.
Technical Safeguards: These safeguards define the standards for security access control (i.e., automatic logoff, encryption), audit controls, data integrity, entity authorization, and transmission security.
Physical Safeguards: These safeguards define the standards for facility access control, workstation use, workstation security, and device and media controls.
The HIPAA Privacy Rule
The HIPAA Privacy Rule defines standards for securing electronic Protected Health Information (ePHI). These standards include creating appropriate safeguards for ePHI, instituting limits and conditions for the use of ePHI, and giving patients access to view their ePHI.
This rule addresses many state laws that all define how healthcare providers and insurers can use, share, and disclose PHI. It establishes a baseline for PHI use that meets or exceeds most state laws, but does not supersede state laws that provide stronger privacy protection.
The Minimum Necessary Rule
A key element of the Privacy Rule is the Minimum Necessary Rule. This rule mainly applies to Covered Entities (i.e., healthcare providers). It stipulates that they make reasonable efforts to limit access to PHI to the minimum necessary.
In addition, it requires them to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of PHI. It’s also known as the “Minimum Necessary Standard” or “Minimum Necessary Requirement.”
The HIPAA Breach Notification Rule
The HITECH Act created new requirements regarding the disclosure of information breaches by adding the Breach Notification Rule to HIPAA.
The rule defines a breach as the acquisition, access, use, or disclosure of protected health information in a manner not permitted under the HIPAA Privacy Rule.
HIPAA’s Breach Notification Rule requires you to report breaches of PHI information to affected individuals, the HHS, and, in some cases, the media.
In most cases, you must provide these notifications within 60 days of discovering the breach. Exceptions to this are if the breach affects fewer than 500 individuals, in which case notice may be submitted to the HHS annually.
The Breach Notification Rule also requires Business Associates of Covered Entities to notify the Covered Entity of a breach.
The HIPAA Omnibus Rule
The HIPAA Omnibus Rule gave the HHS the resources to investigate breaches and impose fines for noncompliance. It is a massive rule that fills over 500 pages.
In summary, the Omnibus Rule contains four final rules:
1. Final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the HITECH Act and certain other changes to improve the rules. These modifications include:
- Making Business Associates of Covered Entities directly liable for compliance with certain HIPAA Privacy and Security Rules’ requirements.
- Strengthening limitations on the use and disclosure of PHI for marketing and fundraising purposes and prohibiting the sale of PHI without individual authorization.
- Expanding individuals’ rights to receive electronic copies of their health information and restricting disclosures to a health plan about treatments that the individual paid for in full using their own funds (i.e., out of pocket).
- Requiring modifications to, and redistribution of, a Covered Entity’s notice of privacy practices. The rule also modified individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools and enable access to decedent information by family members or others.
- Adopting the additional HITECH Act enhancements to the Enforcement Rule, such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.
2. A final rule adopting changes to the HIPAA Enforcement Rule to incorporate increased and tiered fines described in the HITECH Act.
3. A final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the Breach Notification Rule’s “harm” threshold with a more objective standard.
4. A final rule modifying the HIPAA Privacy Rule to prohibit most health plans from using or disclosing genetic information for underwriting purposes.
HIPAA Enforcement Rule
The HIPAA Enforcement Rule describes how the HHS will conduct investigations of HIPAA violations, manage any resulting hearings, and impose penalties. It is important to note other agencies (for example, the Centers for Medicare and Medicaid) can take HIPAA enforcement actions, and these agencies may have their own procedures.
The Enforcement Rule also describes the penalty structure for HIPAA violations:
Category 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care been taken to abide by HIPAA rules.
Category 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care, but falling short of willful neglect of HIPAA rules.
Category 3: A violation suffered as a direct result of “willful neglect” of HIPAA rules, in cases where an attempt has been made to correct the violation.
Category 4: A violation of HIPAA rules constituting willful neglect, where no attempt has been made to correct the violation.
NOTE: Fines are issued per category per year that the violation was allowed to persist.
The Enforcement Rule also describes criminal HIPAA violations. The Department of Justice prosecutes these types of offenses based on a 3-tier system:
Tier 1: Reasonable cause or no knowledge of the violation. Penalty: Up to 1 year in prison.
Tier 2: Obtaining PHI under false pretenses. Penalty: Up to 5 years in prison.Tier 3: Obtaining PHI for personal gain or with malicious intent. Penalty: Up to 10 years in prison.
GDPR and HIPAA
The European Union’s General Data Protection Regulation (GDPR) adds an additional set of regulations for Covered Entities and Business Associates that collect, process, share, or store data relating to EU citizens (for example, if an EU citizen receives medical treatment in the US). You can find more information on GDPR compliance in our blog post, Healthcare Compliance: All You Need to Know.
Health compliance is a complex arena with severe penalties for HIPAA violations—even accidental exposures. It’s a field that requires intense study to master. No healthcare software development guide can give you all the information you need to ensure compliance.
If you’re considering a custom healthcare app, we strongly recommend that, at minimum, you engage a healthcare industry consultant to ensure your software is HIPAA-compliant.