UPDATED Feb 20 2017: We now have an online portal to help you organize your HIPAA compliance requirements and perform unlimited Security Risk Assessments, which form the core of your annual compliance reporting. Check it out at BasicHIPAA.com.
After taking several clients through the full process of HIPAA compliance, I thought it would be a good time to record the experience and share some of the steps with our readers.
This post is meant for companies or consultants starting out with HIPAA, with visions of taking your product to the masses but recognizing that you will be handling sensitive data that will require compliance with the Health Insurance Portability and Accountability Act.
I’ll start the way my mother used to start her recipes for baking bread — stop now. Go outside, find a hobby, buy a loaf from the bakery, find a good reason not to get started. HIPAA, like baking bread, takes time and effort, and if you can re-engineer your problem / product so as not to require it, you’ll save time, money, aggravation, and maintenance. Maybe you can deal with just anonymized data, without storing any user names, phone numbers, etc.? Maybe partner with another provider to handle the HIPAA portion, and provide value on top of that?
If you’re still reading, it means that something in your core business value requires the handling of personal health information (PHI). So be it — let’s talk about what’s in store for you.
Why become HIPAA compliant? On one level, this is a legal business requirement, something to check off so that corporate counsel will be satisfied that no one will get sued. Agreed. However, I like to talk to clients about the real personal dimension here, since for HIPAA you (and we) are potential victims as well as system developers.
HIPAA breaches are real tragedies for real people. Hundreds (and eventually millions as your product succeeds beyond your wildest dreams) of people’s information will pass through and be stored by your systems, and if some or all of that data is exposed, those very real people’s lives can be impacted in dramatic ways. Your users might be denied access to insurance, jobs, relationships, or other things of importance to them because the insurance company, employer, partner, etc. finds out that they have a particular health condition. Your users are entrusting you with information that can be used against them, and you should be able to sleep at night knowing that you did everything within your power to earn that trust.
Ready to begin?
THE ROAD AHEAD
The road to HIPAA is paved with good intentions, lots of them. Be prepared to put together long checklists (dozens of items), review each one, and cross each one off as you address it. When all the checkboxes are checked, you are done and ready for an audit. We can recommend auditors that we work with, or you can find your own, but at the end of the road someone who does this every day will need to look at what you’ve done and certify that they are satisfied that you are following the rules. There is no official seal of HIPAA compliance, so this is the main way to gain credibility beyond your own claims.
HIPAA is complicated by the fact that requirements are typically split up into “required” and “addressable”. “Required” is self-explanatory, and “addressable” does not mean “not required” as you might hope, but that if you choose not to take that suggestion you need to explain why, and there might be reasonable explanations for why not. This is a grey area that gives you a lot of flexibility but can make things hard to pin down. Some of the addressable items can be explained via a “risk analysis” by which you would explain why the cost of implementation outweighed the benefit, but these need to be “addressed” on an item by item basis.
I like to divide the road to implementation into two parts, which can proceed in parallel: Technology and Policies.
In order to protect your users PHI, your technology needs to be buttoned down. The key phrase here is “encryption in motion and at rest”, which means that PHI needs to be encrypted while being transmitted over a network (eg between browser and server, or between servers at the data center) and when it is finally stored somewhere — usually in a database but on disk or any other storage medium that remains when power is turned off.
You probably already do the obvious, by protecting user accounts with a username and password, and (hopefully) sending these over SSL during the login process. Beyond that, here are some things to consider:
– There are rules about password complexity, expiration, session lifetime, etc. that need to be spelled out and enforced.
– Encryption at rest means encrypted fields in the database are strongly preferred, and this can complicate searches and simple SQL access to the production servers
– Your choice of data center becomes severely restricted, as most cloud services are not HIPAA compliant, and this will increase cost by a factor of 2 or more. We can recommend both cloud and hosted solutions that we’ve worked with and are professional and helpful in the entire process.
– You will need to enforce who has access to the production environment, and provide special training and background checks for anyone who has access to PHI.
– Some form of Disaster Recovery (DR) plan needs to be in place.
You will need to create a policies and procedures document which spells out what is allowed and what is not, what happens if/when PHI security is breached, how new access is provided and existing access is removed, what forms to fill out when vetting a new partner, etc. This will likely be on the order of dozens of pages, and should be written by a company or individual that does a lot of these so they can tailor boilerplate to your particular circumstances.
The policies document provides dozens of i’s to dot and while tedious, forces you to make sure you’ve really thought through what happens under various circumstances. Focus on that when you’re reviewing dozens of pages of text.
A well-written policies document will be an aid to you in running your business, and a poorly-written one will look like a legal contract that maybe covers you but doesn’t help and is difficult to work with. We can recommend providers who have delivered the former, but it’s important to look at this step as a guide and not just meeting a requirement.
The auditor is your friend. He or she will check all the hard work you’ve done and bring any failures or omissions to your attention for you to remedy; this is sometimes called a “gap analysis” since it shows gaps between your declared intentions and how things are really working. You’ll be given the opportunity to fill in the gaps and then have a repeated check to confirm that you made the required changes.
In the end the auditor is the person who can say definitively that all your hard work was worth it and that you’ve done what’s required.
Congratulations, you are now HIPAA compliant! You will have to keep an eye on things, though:
– File forms as employees with access to PHI join or leave the company
– Perform regular technology audits at the data center
– React to any intrusion detection alerts
– Perform regular vulnerability scans of your system to detect holes or security problems
– Meet periodically with your information security team to assess continued compliance
– Have an auditor come once a year to confirm that everything is still in order
When we finish a HIPAA engagement, we make sure to leave you with a calendar so you know what ongoing obligations you have. There are also paid services that will help you track these things throughout the year.
This overview would have been immensely helpful to us as we started to learn the ropes for HIPAA, a process which went over a period of years and several engagements. I hope it has been useful for you as well.
If you are interested in becoming HIPAA compliant, we would be happy to discuss ways to work together. Our typical engagements bring our expertise together with recommended third party providers for policy writing, auditing, hosting, etc. for an overall package that should address your HIPAA needs, whether on a budget or at scale.
Please contact firstname.lastname@example.org with any questions or to discuss how we can be of service. Be proud that you are building a business aimed at improving people’s health — we wish you much luck and success!