Health Insurance Portability and Accountability Act (HIPAA) compliance should be a serious concern for anyone building an application that deals with healthcare data.
HIPAA has two main purposes. The first purpose is to ensure American workers are able to retain health insurance coverage when changing or losing their job (portability) and the second purpose is to ensure the protection and confidentiality of health information (accountability). The accountability part is what you should be most concerned with when building a healthcare application. Unfortunately, outdated and unclear guidelines make for a frequently frustrating path forward for developers and there is a lot to navigate to ensure compliance.
When Do I Need to be HIPAA Compliant?
Imagine that you’re at work and you start to run a fever. You have meetings all afternoon and a big client is coming in tomorrow morning. You don’t feel like it’s worth your time to take off work, miss all of your important meetings, drive across town in traffic, and wait for an hour in the lobby, all just for a ten-minute visit with your doctor. However, if you went you could ask questions and get the help you need.
Wait a second… Isn’t there an app for that? Can’t I stay at work, message a doctor my questions, get help, and not miss a single meeting?
Sending a message with electronic protected health information, in any way, is highly regulated under HIPAA, and for good reason. Who would want their cell phone provider or a third party knowing their sensitive medical information? How would you feel if someone shared or sold the details of your medical history without your explicit permission?
You must ensure your service is HIPAA compliant if you are building an application that is transmitting or storing protected health information.
There are four key rules defined by HIPAA to achieve accountability:
- The Standards for Privacy of Individually Identifiable Health Information gives patients rights regarding their protected health information and identifies proper use and disclosure for patient care and other purposes.
- The Security Standards for the Protection of Electronic Protected Health Information outlines the necessary physical, technical, and administrative safeguards for securing electronic protected health information.
- The Enforcement Rule is concerned with enforcing HIPAA. It deals with compliance, investigations, penalties for violations, and procedures for hearings.
- The Breach Notification Rule requires “HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.”
Unauthorized use or disclosure of protected health information by covered entities (hospitals, doctors, health insurance companies) and business associates (cloud billing services, web hosting) bring the risk of severe civil and criminal penalties. Depending on the nature, extent, and harm resulting from a violation you can be subject to a fine that can range from $100 to $50,000 for a civil violation and a fine of $250,000 with imprisonment up to 10 years for a criminal violation. In addition to fines and jail time, you may face lawsuits, reputation damage, and revenue loss.
What is Considered Electronic Protected Health Information (ePHI)?
Any protected health information that is created, transmitted, or stored electronically is referred to as electronic PHI (ePHI) and must be handled with the appropriate security controls in compliance with HIPAA Security Rule requirements.
There are 18 types of information classified as ePHI under HIPAA. If you create, transmit, receive, or store any of this information you must follow HIPAA safeguards for handling the data:
3. Dates (of appointments, payments, etc.)
4. Telephone number
5. Fax number
6. Email address
7. Social Security number
8. Medical record number
9. Health plan/insurance beneficiary number
10. Account number
11. Certificate / license number
12. Any vehicle identifiers (e.g. license plate number)
13. Device identifiers and serial numbers
14. Web URLs (Links)
15. Internet Protocol (IP) address
16. Biometric identifiers (finger / retinal / voice)
17. Photographic images
18. Any other characteristic that may be used to uniquely identify an individual
What Safeguards Should I Consider to Secure Protected Health Information?
When building a healthcare application you should take every precaution to secure ePHI. You’re responsible for ensuring you are following the safeguards set by HIPAA. Many of the resources provided by the government are outdated and are no longer relevant.
You can refer to the HIPAA Developer Portal from the U.S. Department of Health and Human Services for more information about building a compliant app and the safeguards you should follow.
A few best practices:
- Don’t collect information you don’t need. Information you collect should have a clear purpose.
- Data must be encrypted when stored and when transmitted.
- Have Business Associate Agreement with any third party providers.
- SMS, MMS, and Push Notifications are not encrypted. Make sure they don’t contain ePHI.
- Permanently dispose of ePHI when no longer needed in a secure way.
- Securely back up ePHI so it can be recovered in case of an emergency or accidental deletion.
- Avoid including ePHI into log files which are generally poorly protected.
- Take steps to ensure the integrity of ePHI when stored and accessed.
- Only authorized personnel using individual and audited access controls should have access to ePHI.
- Have your application reviewed by a qualified security specialist. Don’t expect developers to be HIPAA or security experts.
How do I Build a HIPAA Compliant Application the Easy Way?
There are a lot of factors to consider when building a healthcare application and it’s easy to get overwhelmed by the poorly documented guidelines. The best way to ensure HIPAA compliance with less work is to use a HIPAA compliant service to transmit and store ePHI instead of doing the work yourself. Using an existing and secured service lets you time to focus on innovating your application without worrying about building the HIPAA complaint infrastructure and scaling it.
Is PubNub HIPAA Compliant?
YES. Whether it’s building HIPAA compliant chat, or signaling and dispatching emergency response, PubNub provides the secure, scalable, and reliable infrastructure to power it all. You can safely use PubNub to stream or store sensitive health information. PubNub will sign a Business Associate Agreement.
PubNub has been HIPAA compliant since 2015 and has many customers in the healthcare industry, such as New York Presbyterian, AthenaHealth and OneDrop.
Because PubNub took the time to understand the healthcare industry and put in the hard work required to be HIPAA compliant, that’s something we don’t have to worry about. We were able to MVP the product quickly with HIPAA compliance already built-in.
-Sameer Khanna, VP of Engineering at Pager
Build a Healthcare Application
Get started building a healthcare application using PubNub with these resources:
- Want to learn more? eBook: So You’re Building a HIPAA Compliant App.
- Transmitting ePHI? Check out the Data Stream Network.
- Building HIPAA chat? Check out ChatEngine.
- Dashboards and monitoring? Check out Project EON.
Have suggestions or questions about the content of this post? Reach out at firstname.lastname@example.org.