A Simple Guide for Building HIPAA-compliant applications

A Simple Guide for Building HIPAA-compliant applications

Garrett McAnulla

Writing requirements for HIPAA-compliant software

Building software is hard, especially if you’re building applications that require HIPAA-compliance. In an earlier blog post What is HIPAA?. In short – HIPAA (Health Insurance Portability and Accountability Act) is a federal law passed in 1996 that establishes standards for how personal health information (PHI) is shared. HIPAA is designed to protect the privacy of patients by requiring software providers to maintain strict security standards and medical providers to limit who medical data is shared with.

When building HIPAA-compliant software that manages PHI it’s helpful to separate your requirements into three major categories:

  1. Technical Requirements
  2. Legal Requirements
  3. Procedural Requirements

Technical Requirements

The technical requirements of building a HIPAA compliant application aim to ensure that PHI cannot be accessed via malicious activities like hacking. Things like modern encryption (i.e. AES-256), automatic log-off, and investing in rigorous penetration testing are some common technical requirements you’ll see.

There are some great resources out there for learning about the technical requirements for HIPAA-compliant applications. Including free resources like TrueVault’s HIPAA Compliance Developer’s Guide on Github.

Legal Requirements

The legal element of HIPAA compliance includes entering a Business Associate Agreement with your software provider, that ensures higher standards when working with the information. Every software provider that works with PHI needs to sign a BAA with the healthcare provider for the system to stay compliant with HIPAA.

Also, we are not lawyers and our recommendations in this article do not constitute legal advice, so make sure you review your application’s specific use cases and their privacy implications thoroughly with an expert.

Procedural Requirements

The final category of requirements, procedural requirements, are where most of the mistakes happen. These requirements include administrative duties like managing employee training programs and completing annual risk assessments.

This category also includes maintaining the proper access control policies for PHI in your organization. In the simplest terms, what this means is that access to each patient’s medical records needs to be limited to individuals that need access to that data to do their job. This is commonly referred to as “conditional access.”

Properly maintaining conditional access helps ensure that PHI is not over-exposed. Protecting the patient’s privacy and limiting your company’s risk of penalties for HIPAA compliance violations.

A Simple Example

A simple example of maintaining conditional access is a small Clinic where the receptionist needs access to a patient’s contact information, while the Doctor needs more detailed access to a patient’s health information such as current conditions, diseases, vitals, etc.

Other stakeholders, like insurance providers or specialists may also need access to a patient’s medical records. Medical providers need to work together with their software providers to protect their patient’s privacy. Medical providers have the responsibility to configure their software’s conditional access controls in a compliant way and software providers are responsible for maintaining those access conditions in production.

Role-Based Access Controls (RBAC)

The technical standard for maintaining conditional access in software applications that the industry is converging on is called “Role-based Access Controls” or RBAC for short. While we could write an entire article about RBAC, the gist of the idea is:

  1. Organize your conditional access rules into different generalized “roles,” like Physician, Patient and Clinical Lab Scientist.
  2. Assign these roles to your application’s users to grant or revoke permissions necessary to maintain conditional access.

Most software providers that have some form of Role-based Access Controls feature typically provide fairly coarse conditional access controls. Google Sheets, for example, has only two levels of access available: Read Only or Read/Write for the entire spreadsheet.

Other software providers provide more granular controls, like limiting access to specific tables or columns. Then there are software providers, like Docframe, that provide highly granular access controls with configurations that can fine-tune access to each individual data point. What we call “cell-level” permissions.

Without RBAC, maintaining conditional access to information is extremely difficult and error-prone. Requiring lots of manual work granting and revoking access to health records to satisfy your conditional access requirements.

What to look for in a HIPAA-compliant software provider

These days it would be foolish to build an application completely from scratch. An application that would take years to complete from scratch can now be completed in a matter of months or sometimes even weeks with modern cloud and no-code tools.

This is also true for HIPAA-compliant applications that manage patient data, but there are some important caveats to keep in mind when choosing your tech stack.

  1. Will the software provider sign a BAA? Or in other words, will the software provider commit to HIPAA’s strict security rules?
  2. Does the software provider provide granular enough RBAC configuration options to maintain your conditional access requirements?

There are many saas, low-code and no-code companies that will sign a BAA and satisfy HIPAA’s technical security requirements, but their permissions features may lack the sufficient levels of granularity necessary for your company to maintain proper conditional access to satisfy HIPAA’s privacy rule.

So, simply signing a BAA with a software provider does not guarantee that a medical provider will be compliant. If your tech stack includes a tool that you have a BAA with but that tool doesn’t provide sufficient access control features, then your company will fall out of compliance and can face steep fines up to $50,000/violation.

How Docframe makes building conditional access rules easier

Docframe’s Role-based access controls allow you to define granular permissions with a simple, visual interface. So healthcare providers can create custom apps to solve their specific needs while staying HIPAA-compliant and protecting their patient’s privacy without deep software expertise.

With Docframe’s other features, like easy-to-use spreadsheet interface, transitional data validation, and related link fields, Health IT professionals can build custom EMRs, LIMs, patient portals, and more, all while maintaining strict conditional access controls.