What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a landmark piece of US legislation that was introduced in 1996, in order to safeguard and secure patient information and transmittal. Covered entities (CE) and Business Associates (BA) should comply with HIPAA regulations. Healthcare providers, health insurance plans and healthcare clearinghouses fall under CE whereas Business Associates can be a person or an entity that provides third party services and activities for covered entities, which involve accessing protected health information (PHI). Any information about the health status, provision of healthcare or payment of healthcare services that is created, collected or transmitted by a covered entity and linked with individually identifiable information is considered PHI under US law.
You may also like: Everything You Need to Know to Get Started With Azure Console.
HIPAA Regulatory Rules
Healthcare organizations have been embracing cloud to cut costs and improve the quality of care. While cloud adoption is a crucial stride for a healthcare entity, it is equally significant to adhere to HIPAA regulations. Ensuring valuable benefits for caregivers and consumers alike, HIPAA establishes standards for the secure handling of PHI.
The HIPAA regulations are categorized into several major standards or rules such as:
1. Privacy rule: Considered as one of the major pillars of HIPAA regulations, this complex rule sets the national standards for protecting the medical records and PHI of the patients and defines the authorized uses and disclosures. This rule also confers rights on individuals to access their health records and to request corrections. With this right, individuals can also obtain a record of when and how their medical records and data has been shared with others.
2. Security rule: This HIPAA rule specifies how to protect the confidentiality, integrity, and availability of electronic medical records or e-PHI. Security law mainly describes the safeguards that need to be implemented by covered entities and business associates to protect e-PHI from any sort of anticipated threats or hazards. There are three levels of safeguards defined in security rule — administrative safeguards, technical safeguards, and physical safeguards.
Administrative safeguards are defined as administrative actions, policies and procedures of managing the HIPAA security compliance team. It mainly consists of nine standards — Security Management Process, Assigned Security Responsibility, Workforce Security, Information Access Management, Security Awareness and Training, Security Incident Procedures, Contingency plan, Evaluation, Business Associate Contracts, and other arrangements.
Technical safeguards define the use of technology aspects and procedures for the secure encryption and authentication of electronic health information. It mainly consists of five standards — Access control, Audit controls, Integrity, Authentication, and Transmission security.
Physical safeguards deal with the physical measures, policies, and procedures for protecting facilities and devices that store PHI within the organization facility from environmental hazards, unauthorized intrusion, theft, and more. It consists of four standards — Facility Access Control, Workstation use, Device, and Media controls.
3. Enforcement rule: As the name implies, this rule details the compliance, investigations, hearings, and penalties for HIPAA violations. Any covered entity that fails to ensure the privacy and security of protected health information will be imposed with hefty fines and penalties for violating HIPAA compliance and Administrative Simplification requirements.
4. Breach Notification rule: This rule requires HIPAA covered entities and business associates to notify the individual victims, media and regulators following a breach of PHI. Whenever there is an impermissible use or disclosure that compromises the security or privacy of the PHI, then it is termed as a breach. In such instances, CE must provide notifications within 60 days following the breach discovery.
The U.S Department of Health and Human Services (HHS) Office for Civil Rights (OCR) oversees HIPAA compliance. Violations of HIPAA regulations can lead to heavy penalties and fines. The lawsuit filed against Anthem, the largest US insurance company is a case in point. Considered as the biggest healthcare data breach in history, this attack compromised the personal health information of 79 million patients.
The company had to pay a record $115 million to settle lawsuits filed by the patients. According to OCR, HHS has collected $28.7 million from healthcare organizations and insurance companies for HIPAA enforcement in 2019 alone.
So, if you are involved in or planning to develop a website or mobile application that stores, records or passes protected health information, then it is vital to learn and comply with HIPAA regulations.
How to Make an App or Website HIPAA Compliant?
Whenever you are handling any sensitive medical information on your website or through your mobile application, it is crucial to guarantee HIPAA compliance. Healthcare organizations wanting to leverage cloud computing or mobile app technology should ensure to implement appropriate privacy and security safeguards to meet the HIPAA regulations.
An mHealth app or website must have a clearly defined architecture, and it is also essential to conduct a detailed and thoughtful review at every stage of development. Seeking the expertise of a qualified security specialist to conduct a complete audit of the security requirements and standards of your website or mobile app is strongly recommended. Risks and vulnerabilities detected during the audit need to be mitigated and fixed at the earliest possible opportunity.
Another critical area is the transmission of PHI where encryption plays a huge role. Data must be verified and encrypted while storing and transmitting. Make sure to fortify the app environment by forcing re-authentication after inactivity and removing push notifications.
Is Azure HIPAA Compliant?
If a covered entity plans to use a cloud service like Azure to build, migrate, manage, and support their business applications, then it is important to enter into a Business Associate Agreement (BAA) with Microsoft beforehand.
Does that make Azure HIPAA compliant? Unfortunately, No. Even though Azure takes responsibility for the security of the underlying platform, it doesn’t mean it is truly HIPAA compliant. In fact, HIPAA compliance is not about cloud platforms and features, but it is about how cloud computing services are used by the application or user.
Enterprise-class features of Azure can be used in different ways and Microsoft can’t be held liable for HIPAA violations caused as a result of the misuse of its services. It is the sole responsibility of the covered entity to configure Azure cloud services in compliance with HIPAA regulations and security standards.
At the end of the day, HIPAA compliance may seem tedious and nerve-wracking, but addressing the privacy and security aspects of PHI helps in protecting the sensitive health information of patients. It takes dedicated effort and financial investment to ensure HIPAA compliance of a website or mobile application, yet it proves worthwhile down the road.