When it comes to our health, most of us would like to believe our medical and health information is kept private. We like to believe that only the people that are authorized to view these records should have access to such sensitive information. With technology in the form of information systems becoming more prevalent in the healthcare field, web developers and the like have to make sure they follow patient privacy laws.
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its regulations (the “Privacy Rule” and the “Security Rule”) protect the privacy of an individual’s health information and govern the way certain health care providers and benefits plans collect, maintain, use and disclose protected health information. The Privacy Rule applies to all forms of individuals’ protected health information, whether electronic, written, or oral. The Security Rule, a Federal law that protects health information in electronic form, requires entities covered by HIPAA to ensure that electronic protected health information is secure.
Now that we have a little background information, how does all this apply to the web development and software field?
Covered entities have been advised by HIPAA regulators to work with their software vendors to produce software that complies with the security rule. Software must be modified to fit specific security safeguards. There are some technical safeguards that need to be met when dealing with medical information electronically.
Access control must be put in place to ensure only those that are authorized can access electronic protected health information, or PHI. Implementations such as unique user identification, automatic log off, emergency access procedures, and encryption verification must be put in place to ensure access control. PIN numbers must also be established to further protect your information. You don’t want hackers or unwanted individuals to view such sensitive information. Even something as simple as forgetting to log out of a computer in a public place can be avoided with automatic log off and can protect your health information from prying eyes.
Audit controls must be put in place to record and examine activity in information systems that contain or use PHI. Under HIPAA an entity must, “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” When determining if a security violation occurred, tracking systems are a useful tool to record and examine information system activity.
Integrity controls must also be put in place to ensure information is not altered or destroyed. If this happens many problems can arise such as patient safety issues. Risks must be analyzed and measures must be put in place based on those risks to ensure PHI is not destroyed or deleted for any reason.
Last but not least, transmission security must be put in place to guard against unauthorized access to PHI that is being transmitted over an electronic network. There are two strategies for implementation which include integrity controls and encryption. Learn more on this here.
Software developers should be familiar with HIPAA security and privacy rules providing confidentiality, integrity, and availability of protected health information. Protected health information should be accessible to authorized persons and entities, kept private from unauthorized viewing, and must be protected from unauthorized modification. Uncle Sam says you can never be too safe.
For more information on HIPAA laws:
https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/index.html