10 Truths to Know for Building HIPAA Compliant Software

10 Healthcare Data Management Truths Behind HIPAA Compliant Software

1. HIPAA Compliance Means Different Things in Different Contexts

2. Scaling Digital Health Solutions Increases Security Challenges

3. You Need to Start With a “Secure By Default” Foundation

  • Many companies encrypt only the fields that require it, setting up a secure internal data center network that allows servers to communicate over secure, yet unencrypted, connections.
  • Some divide data between PHI and non-PHI systems, applying higher security standards only to the PHI systems.
  • A conservative approach that makes achieving HIPAA-compliancy easier is to connect all parts of the system over HTTPS/TLS 1.2 (or later) secured connections, regardless of whether they are within your firewall.

4. There are Rewards — and Risks — to a Business Associate Agreement

5: Don’t Overlook These Security Features in Healthcare Data Management

  • Role-based access control: each user’s role should allow access to only a limited portion of the data in the system. Access to system features depends on the user’s role within the software. This extends to providing granular permissions to features and functions of both the user interfaces (UI) and application programmer interfaces (API) provided by the system.
  • Audit all data access: every action that affects the data in the system needs to be tracked (who viewed what information?). This can be implemented at a low level — but still to great effect — in the data access library or object relational mapper (ORM). Improperly executed data access audits can negatively impact system performance.
  • Enforce unique user identification: the system should eliminate the possibility of accessing one account from multiple locations or devices at the same time. It should also detect patterns of use that indicate an account is being shared by more than one person.
  • Emergency access procedures: if the system contains information that could be useful for providing care to a patient in critical condition, consider providing a way to access information during an emergency situation.
  • Automatic logoff: if a screen is left unattended for a period of time, it needs to automatically log off from the system to prevent unauthorized access to sensitive data.
  • Minimum password strength (use metrics such as length or mix of characters)
  • Password expiration date
  • Prevent password reuse
  • Password reset: both support personnel and end users need a UI that allows them to request a password reset; this needs to be done through a confirmed email address.
  • Two-factor authentication: if your product is accessible over the public internet, then requiring two factor authentication is the best way to make passwords stronger. With two-factor authentication, the user must enter a password and a unique access code generated by a smartphone or some other device
  • Electronic signature: if you have built a system that has all of the features described so far, then you can use the login portal you have already built to implement electronic signatures. The system should re-prompt the user to enter her password at the moment that she signs off on the document or process to help ensure that someone else has not hijacked the session, but the system doesn’t have to prompt for a second factor to be entered At the time of this writing, the FDA will accept re-entry of the password as the digital signature.

6: Build Multi-tenancy to Scale Secure Healthcare Data Management

7. Track Behavior in Software For Secure Healthcare Data Management

8. The Cloud Can Minimize the Cost of Secure Healthcare Data Management

9. DevOps Matters to Effective Healthcare Data Management

10. HIPAA Compliance Is a Milestone on the Road to FDA Certification

How Businesses With HIPAA Compliant Software Win the Healthcare Data Management Race



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store