Free up to 1MM monthly messages. No credit card required.
Health Insurance Portability and Accountability Act (HIPAA) compliance should be a serious concern for anyone building an application that deals with healthcare data.
HIPAA has two main purposes. The first purpose is to ensure American workers are able to retain health insurance coverage when changing or losing their job (portability) and the second purpose is to ensure the protection and confidentiality of health information (accountability). The accountability part is what you should be most concerned with when building a healthcare application. Unfortunately, outdated and unclear guidelines make for a frequently frustrating path forward for developers and there is a lot to navigate to ensure compliance.
Imagine that you’re at work and you start to run a fever. You have meetings all afternoon and a big client is coming in tomorrow morning. You don’t feel like it’s worth your time to take off work, miss all of your important meetings, drive across town in traffic, and wait for an hour in the lobby, all just for a ten-minute visit with your doctor. However, if you went you could ask questions and get the help you need.
Wait a second… Isn’t there an app for that? Can’t I stay at work, message a doctor my questions, get help, and not miss a single meeting?
Sending a message with electronic protected health information, in any way, is highly regulated under HIPAA, and for good reason. Who would want their cell phone provider or a third party knowing their sensitive medical information? How would you feel if someone shared or sold the details of your medical history without your explicit permission?
You must ensure your service is HIPAA compliant if you are building an application that is transmitting or storing protected health information.
There are four key rules defined by HIPAA to achieve accountability:
Unauthorized use or disclosure of protected health information by covered entities (hospitals, doctors, health insurance companies) and business associates (cloud billing services, web hosting) bring the risk of severe civil and criminal penalties. Depending on the nature, extent, and harm resulting from a violation you can be subject to a fine that can range from $100 to $50,000 for a civil violation and a fine of $250,000 with imprisonment up to 10 years for a criminal violation. In addition to fines and jail time, you may face lawsuits, reputation damage, and revenue loss.
Any protected health information that is created, transmitted, or stored electronically is referred to as electronic PHI (ePHI) and must be handled with the appropriate security controls in compliance with HIPAA Security Rule requirements.
There are 18 types of information classified as ePHI under HIPAA. If you create, transmit, receive, or store any of this information you must follow HIPAA safeguards for handling the data:
3. Dates (of appointments, payments, etc.)
4. Telephone number
5. Fax number
6. Email address
7. Social Security number
8. Medical record number
9. Health plan/insurance beneficiary number
10. Account number
11. Certificate / license number
12. Any vehicle identifiers (e.g. license plate number)
13. Device identifiers and serial numbers
14. Web URLs (Links)
15. Internet Protocol (IP) address
16. Biometric identifiers (finger / retinal / voice)
17. Photographic images
18. Any other characteristic that may be used to uniquely identify an individual
When building a healthcare application you should take every precaution to secure ePHI. You’re responsible for ensuring you are following the safeguards set by HIPAA. Many of the resources provided by the government are outdated and are no longer relevant.
You can refer to the HIPAA Developer Portal from the U.S. Department of Health and Human Services for more information about building a compliant app and the safeguards you should follow.
A few best practices:
There are a lot of factors to consider when building a HIPAA-compliant healthcare application, and it’s easy to get overwhelmed by the poorly documented guidelines. The best way to ensure HIPAA compliance with less work is to use a HIPAA compliant service to transmit and store ePHI instead of doing the work yourself. Using an existing and secured service lets you time to focus on innovating your application without worrying about building the HIPAA complaint infrastructure and scaling it.
YES. Whether it’s building HIPAA compliant chat, or signaling and dispatching emergency response, PubNub provides the secure, scalable, and reliable infrastructure to power it all. You can safely use PubNub to stream or store sensitive health information. PubNub will sign a Business Associate Agreement.PubNub has been HIPAA compliant since 2015 and has many customers in the healthcare industry, such as New York Presbyterian, AthenaHealth and OneDrop.
Because PubNub took the time to understand the healthcare industry and put in the hard work required to be HIPAA compliant, that’s something we don’t have to worry about. We were able to MVP the product quickly with HIPAA compliance already built-in.
-Sameer Khanna, VP of Engineering at Pager
Get started building a healthcare application using PubNub with these resources:
Have suggestions or questions about the content of this post? Reach out at firstname.lastname@example.org.
A Notice of Privacy Practices (NPP) is one of the requirements of HIPAA and helps patients understand their personal data rights.
HIPAA violations can be financially expensive and devastating to a brand. Examine some examples of HIPAA violations, and learn...
HIPAA covered entities must follow the five technical safeguards to achieve HIPAA compliance and prevent data corruption.