HIPAA IT Compliance Checklist: Guidelines | Stfalcon.com (2023)

HIPAA IT Compliance Checklist: Guidelines | Stfalcon.com (1)

Software development goes hand inhand with enforcing legislation ofaparticular country. Non-compliance tothe law can lead toserious consequences, including penalties and ban onsoftware use. Healthcare isthe industry where the use ofthe software isregulated atthe national level. Each country has its regulatory documents for the development ofmedical digital solutions. They are, for example, HIPAA inthe USA, GDPR inEurope, PIPEDA inCanada, and soon. Observing these standards isimportant for successful software implementation and circulation.

Inthis article, wewill analyze the American Health Insurance Portability and Accountability Act (HIPAA) and HIPAA compliance software requirements. The article will beuseful for the developers ofmedical software for the USA market. Wewill discuss:

—what kind ofinformation needs protection according toHIPAA;

—how exactly HIPAA regulates data protection;

—what ithas todowithIT companies;

—what the consequences ofHIPAA violation are;

—how tomeet HIPAA compliance software requirements;

—what pitfalls you should beaware ofwhen developing HIPAA compliant solutions;

—how HIPAA software security requirements correlate with European legislation.

Wewill also provide you with aHIPAA compliance checklist for information technology companies.

What isHIPAA?

Health Insurance Portability and Accountability Act (HIPAA) was first put into effect in 1996. Its task was to modernize the flow of health-related data and to protect it from fraud and theft. Since then, the Act has undergone the number of changes. The HITECH Act adopted in 2009 expanded HIPAA regulations in the sphere of technology use.

HIPAA compliance regulations constitute aset ofregulatory standards that outline the lawful use ofprotected health information (often abbreviated asPHI). Companies that deal with such information should ensure that sensitive patient data isnot misused. They should imply administrative, physical, and technical safeguards, specific technical policies, and network security.

Administrative safeguards are administrative policies and procedures bound tothe security management process. They include risk analysis and management, workforce security, information access management, and security awareness and training.

Physical safeguards stand for physical actions that ensure facility access limitations. Such limitation isset ontransferring, disposingof, removing, and reusing ofelectronic protected health information (ePHI).

Technical safeguards include best practices for protecting data and systems with the help oftechnology. They control access toePHI sothat only authorized users can deal with sensitive patients’ data. Technical safeguards include network encryption, access control, activity audits control, integrity, person orentity authentication, and transmission security.

Technical policies include integrity control, ITdisaster recovery, and offsite backup procedures. They ensure quick remediation odelectronic media errors orfailures and accurate recovery ofpatients’ data.

Network security concerns various methods ofdata transmission via the Internet orprivate networks.

What Kind ofHealth Information Needs Protection?

Protected health information (PHI) isany demographic information that can beused toidentify aperson. Itincludes any structured and unstructured data, such asnames, addresses, emails, phone numbers, medical records, bank accounts, billing information, insurance information, video, audio chats, photos, scans, etc.

Since nowadays most ofthe operations with patient’s data are computerized, the new term, electronic protected health information (ePHI) isused. Common examples ofePHI applications are computerized physician order entry systems (CPOE), electronic health records (EHR), therapeutic apps, and various telemedicine solutions. Companies include ePHI associated with their activities into their HIPAA compliance requirements checklists.

How does HIPAA Regulate Data Protection?

Asatpresent, HIPAA constitutes aset ofrules, such asPrivacy Rule, Security Rule, Breach Notification Rule, Omnibus Rule, Enforcement Rule, Minimum Necessary Rule, Access Controls, etc. Onthe ground ofthese rules, providers form their HIPAA compliance audit checklist, which developers ofIT solutions should beawareof.

HIPAA Privacy Rule

Also known as«Standards for Privacy ofIndividually Identifiable Health Information», this Rule sets standards for patients’ rights concerning PHI. They include the right toaccess PHI, the right toreceive anotice ofprivacy practices, etc. These standards also give recommendations for privacy training and corruption prevention.

HIPAA Security Rule

Also referred toas«Security Standards for the Protection ofElectronic Protected Health Information», this Rule sets standards for secure maintenance, transmission, and handling ePHI. Itoutlines administrative, physical, and technical safeguards any healthcare provider should meet. HIPAA Security Rule, especially technical safeguards listed inthis Rule, isofgreat importance for software developers.

HIPAA Breach Notification Rule

Itdescribes steps companies should follow incase ofadata breach. Itoutlines the notification process and describes the necessary elements ofthe breach notification message.

HIPAA Omnibus Rule

Itoutlines the rules for Business Associate Agreements, the contracts that must beexecuted before transference ofthe data.

HIPAA Enforcement Rule

This Rule governs the investigations following abreach ofPHI and penalties imposed for safety procedures violation.

The Minimum Necessary Rule

The Rule states that employees should only have access tothe minimum PHI needed toperform their job duties.

What does HIPAA have todowith ITCompanies?

HIPAA data security requirements apply totwo categories oforganizations: covered entities (these include healthcare providers etc.) and business associates (organizations orindividuals who act asvendors orsubcontractors and inthis role have access toPHI). The second group comprises data processing and data storage companies, data transmission providers, etc.Ifyour company providesIT services ordevelops software that somehow touches PHI, italso belongs tothe business associates group. Ahealthcare provider should enter into a«Business Associate» contract with you, and you also become responsible for meeting HIPAA software security requirements.

HIPAA Violation Consequences

HIPAA compliance isobligatory for all healthcare providers onthe territory ofthe USA. Any violation ofHIPAA regulations issubject topenalties. HIPAA Enforcement Rule describes four levels ofregulations violation, from unaware violation towillful neglect unmitigated within 30days. The fines vary from $100 to$50,000.Apart from monetary sanctions, HIPAA compliance regulations violation can have asignificant negative effect onthe provider’s reputation. Companies that violate HIPAA can face sanctions from professional boards and face criminal charges uptoimprisonment.The most common violations interms ofthe software include the lack ofprotection ofpatients’ records, inability toaccess patients’ records, misuse and unauthorized disclosure ofPHI. You may also use HIPAA compliance reports asaguideline.

HIPAA Compliance Regulations and Software Development

Aswecould see, forIT companies specializing inthe development ofmedical digital solutions, HIPAA compliance iscrucial. Yet, itmight bedifficult inthe beginning tounderstand how all the above-mentioned regulations relate tosoftware development. So, let’s «translate» them into software features mandatory for HIPAA security compliance checklist.

Documentation processing mode

Documenting every single step isaninevitable routine for medical professionals. Efficient software facilitates documentation processing and secures data storage.

Utilized audits

Regular audits are anintegral part ofthe healthcare providers’ work. Thus, medical companies need utilized audits that help toanalyze risks and errors inthe data processing. HIPPA regulation does not identify what exact data should beaudited orhow often the audit control should take place. So, rely onthe specificity ofthe client’s business asaguideline.

Remediation plan

According toHIPAA compliance regulations, every business dealing with PHI should have arecovery plan incase something happens topatients’ data. Itshould cover major tasks for securing data, aplan for preventing security risks, and documentation oncompleted and scheduled safety procedures.

Meeting Omnibus Rule regulations

Incase ahealthcare provider has contractors managing ePHI, the company’s software should beable tomonitor the agreements connected with entrustment clients’ data tobusiness associates.


Good software should prevent data breaches, and create automated reports incase ofunwelcome interference. Akey component ofsecure health data management isdata encryption. For health solutions, encrypting data «onthe wire» and «atrest» isagood option, though, some companies divide data between PHI and non-PHI systems and apply higher security standards tothe former.

Emergency access procedure

Facilities for informing staff and patients incase ofthreats and emergencies should beutilized.Unique user authenticationFor HIPAA compliant software, multi-factor authentication (atleast, two-factor) isstrongly recommended. Itisbetter ifthe system eliminates the possibility ofaccessing anaccount from multiple locations ordevices simultaneously.

Role-based access control

Though the way tomeet the HIPAA access control standard isnot specified inthe documentation, itiseasiest tomeet HIPAA data security requirements via the role-based control. According tothis method, each user’s role allows access only tosuch amount ofdata that isnecessary toperform the corresponding job duties.

Automatic logoff

The screen should automatically log off when left unattended for acertain period toprevent unauthorized access todata. Itbetter ifthis feature isimplemented into configuration settings.

Solution comprehensiveness

Health solutions should becomprehensive and user-friendly for medical staff. Itwill prevent unintentional violations ofsecurity procedures and data breaches.

Potholes inthe Development ofHIPAA Compliant Software

Meeting all above mentioned HIPAA software requirements isanimportant step towards high-quality software development. Yet, you should understand that mere implementation ofthese features will not necessarily prevent you and your client from HIPAA violation.You need tomake itclear for the client that, when used improperly inclinical settings the solution can fail tomaintain HIPAA compliance regulations even ifitcomprises all necessary features. The medical staff should beinstructed and trained touse clinical software. Strong and long-lasting technical support isalso highly recommended.Some experts also warn about the security threats that can occur inthe case of scaling digital healthcare solutions. Itisimportant toconsider HIPAA compliant server requirements for information storage.

Our Experience in Following HIPAA Software Security Requirements

The biggest challenge for IT companies specializing in software development for the USA market is that there is no 3rd party HIPAA certification. So, it is your responsibility to ensure if your products meet all HIPAA software requirements.Having studied regulatory documents and the experience of other companies, we have created a checklist for our developers with all the necessary features healthcare products should contain. You will find it at the end of this article.However, not all of our clients are from the USA. Stfalcon.com healthcare apps and other digital solutions for Europe, as well. Thus, we delved into the question to check if there is any significant difference in data protection requirements for medical software in the USA and Europe.

HIPAA and European Healthcare Software Regulations

Aswehave mentioned before, you should take into account HIPAA regulations only incase ofdeveloping digital solutions for the USA. Toimprove clarity, letus see how itcorresponds toEuropean standards. Inthe European Union, data protection isensured bythe General Data Protection Regulation (GDPR).The GDPR covers all data from which aperson can beidentified, whether directly orindirectly. Thus, GDPR covers alarger amount ofdata compared toHIPAA data security requirements, including ethnic origin, religious beliefs, sexual orientation, etc. Interms ofhealth data, GDPR and HIPAA are similar, though while HIPAA ismostly focused onorganizations that handle PHI within the USA, GDPR has amuch broader scope ofcoverage and protects personal data ofEuropean citizens not only onthe territory oftheEU but elsewhere. Thisis, bythe way, animportant notion for American healthcare organizations that handleEU patients’ information.Does itimpose any additional demands onsoftware development inEurope compared tothe USA? Indeed, yes. Consider, for example, such interesting obligatory functions aspseudonymization bydefault orthe right tobeforgotten. But this isagood topic for another article. Sofar, itwill beenough tounderstand that different countries have different legislation overlapping software development.

HIPAA Compliance Software Checklist for Developers

So, here is a HIPAA data security checklist we use in our practice. It contains the following features:

- Is unique user authentication applied to track user activity with PHI?

- Does access control mode restrict users’ access to PHI that they don’t need for performing their job duties?

- Is there a recovery plan and does it envisage any possible incidents?;

- Does emergency access mode provide appropriate access to ePHI in the case of an emergency?

- Do activity logs and audit controls function properly and correspond to the specificity of the client’s workflow?

- Does the solution have an automatic logoff feature

- Is the integrity of data ensured?

- What data encryption and decryption mechanisms are applied? Are they relevant?

- Can data be easily restored? How is data backup organized?

ToSum Up

The development ofreliable healthcare solutions that comply with national regulations isnot aneasy thing. One should keep inmind various requirements and features. Use our HIPAA data security checklist toensure your solution contains all necessary elements tobeHIPAA compliant.Contact Stfalcon.com specialists toget more information onhow tocreate areliable and profitable healthcare software. Weare ready tocontribute tothe development ofyour next HIPAA compliant medical digital solution.

Top Articles
Latest Posts
Article information

Author: The Hon. Margery Christiansen

Last Updated: 10/31/2022

Views: 5347

Rating: 5 / 5 (50 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: The Hon. Margery Christiansen

Birthday: 2000-07-07

Address: 5050 Breitenberg Knoll, New Robert, MI 45409

Phone: +2556892639372

Job: Investor Mining Engineer

Hobby: Sketching, Cosplaying, Glassblowing, Genealogy, Crocheting, Archery, Skateboarding

Introduction: My name is The Hon. Margery Christiansen, I am a bright, adorable, precious, inexpensive, gorgeous, comfortable, happy person who loves writing and wants to share my knowledge and understanding with you.