How to ensure HIPAA compliance in your tech stack
The importance of being HIPAA compliant
This article on being HIPAA compliant covers how companies that work with electronic Protected Health Information (ePHI) can ensure they follow HIPAA regulations. Specifically, we’ll cover two essential HIPAA compliance topics here. First, we’ll discuss how to ensure your own tech stack is compliant with HIPAA regulations. Second, we’ll go over how to ensure that any external vendors or partners you work with are also compliant.
Data breaches of confidential ePHI can be costly and involve legal action. Therefore, it’s best to ensure your company and any vendors you work with are following best practices.
A crash course on how to be HIPAA compliant
As you likely know, HIPAA is an American law passed in 1996. It pertains to the way Covered Entities (which include health care providers and plans) must securely and confidentially manage ePHI, which includes health care data and individual medical patient details. However, intermediaries that manage ePHI provided by Covered Entities are considered Virtual Entities and are subject to HIPAA regulations as well. (Intermediaries might include online pharmacies that gain access to patient data despite not being health care providers themselves.)
(It’s perhaps worth noting that while HIPAA is an American law, some of its regulations are broadly comparable to 2018’s European GDPR, at least with regards to potential best practices. We’ll cover that below in our discussion on external vendors.)
To ensure their software applications and processes are HIPAA compliant, companies must consider three primary factors:
- Confidentiality - Ensuring only appropriate parties have access to the data in question. Generally speaking, access to ePHI should be limited only to BAs (business associates who work directly with Covered Entities) who have signed legally-binding BAAs (business associate agreements)
- Integrity - Ensuring ePHI remains intact during processing to avoid altering or destroying any confidential health information
- Availability - Ensuring ePHI is available on-demand as needed for approved parties
Day to day, these key factors boil down to two levels of control:
- Technical controls - Determine how code is hardened or otherwise protected. Companies that handle ePHI can ensure data integrity within their tools with regular penetration testing.
- Organizational controls - Determine a company’s best practices for accountability, training, and levels of access control for the appropriate parties.
As you might imagine, failing to follow HIPAA regulations properly can carry dire consequences. Companies found to be in breach of HIPAA may be subject to hefty government fines, criminal charges, and subsequent legal action.
An abridged HIPAA compliance checklist for your business and tech stack
So how do you get HIPAA compliance certification for your business and tech stack? Short answer: You don’t.
That’s because HIPAA compliance isn’t related to any official certification of any kind. Repeating for emphasis: There is no such thing as an official certification for HIPAA compliance. Operating your business in a manner that is HIPAA compliant means ensuring your company, and all its software applications and processes, are following all major HIPAA regulations. Specifically, your business must take the crucial step of passing confidential ePHI data only through vendors that are also in compliance with the law.
To confirm that your tech stack and teams are HIPAA compliant in practice, your business must be prepared for a HIPAA risk assessment. To prepare for a risk assessment, we recommend your company takes the precautions covered in this HIPAA compliance checklist, and that you ensure any vendors that process your ePHI do the same:
- Catalogue your company’s ePHI data - It’s a good idea to identify all ePHI your company has any contact with, where it resides, and through which services your ePHI data passes. To ensure full integrity and compliance with HIPAA regulations, we recommend you ensure any software applications through which you pass ePHI are also HIPAA compliant.
- Assess and train involved parties and BAs - We also recommend you have clearly identified the parties involved in sharing this data, including any external consultants, vendors, and BAs. Some software vendors will use “dummy data” for demonstration or HIPAA compliance training purposes. However, when conducting any processes involving live ePHI data with BAs, whether they are external partners or employees of your own company, you must ensure they have signed a BAA. You must also provide HIPAA compliance training to any team members that may work with ePHI that includes, on an as-needed basis, a walk-through of your company’s ePHI, a data breach plan, and use of data encryption (see below).
- Prepare a HIPAA breach plan - Assess potential data security threats and their impact on your business. (Many HIPAA risk assessors assign an actual risk level score from 1-10.) It's also a best practice to be aware of different types of HIPAA data breach notifications and be prepared to report them to customers as needed.
- Consider data encryption - Data encryption is an important tool to protect your business in a HIPAA risk assessment. ePHI data breaches frequently occur in the case of thefts or losses of mobile devices containing unencrypted data. To clarify: Whilst HIPAA regulations do not technically require data encryption, there's little reason why you would opt not to encrypt your data, or use encrypted devices to access data, so we recommend you consider this additional security layer.
- Risk assessment documentation - Be advised that any documentation for a HIPAA risk assessment must be stored for at least six years.
Using these HIPAA compliance checklists will help you avoid getting a call from the HHS.
An abridged HIPAA compliance checklist for external vendors
Obviously, your company will need to do business with additional vendors, particularly software vendors, and pass data through their wonderful software products for common business use cases such as data-logging platforms, payment processing, and other common applications. In a perfect world, every vendor you work with would have already filled out the above HIPAA compliance checklist for their tech stack. In reality, as we've covered above, there is no such thing as official HIPAA certification, so we advise you don't just settle for verbal assurances from your vendor. This is why we've compiled a list of things to look out for to ensure your vendors take HIPAA compliance seriously. Ideally, a trusted vendor:
- Can pass/has already passed an independent HIPAA audit - Vendors that are serious about data security for HIPAA will have already passed an independent, third-party HIPAA audit and will have received thorough HIPAA compliance training.
- Has already passed security audits including SOC 2 - SOC 2, as you're probably aware, is a strict class of security audit that ensures data security, integrity, and confidentiality. (SOC 2 Type 2 is an even-more stringent security standard designed for service providers that store cloud-based data.) It would be...unusual, to say the least, for a vendor to claim to be HIPAA compliant while not also being SOC 2 compliant.
- Clearly lists other cloud services it uses - It's common for vendors that do business in Europe to openly list their sub-processors (vendors) on their company's website as stipulated by GDPR. Regardless, your vendors will ideally have a publicly-available list of additional cloud services they use. A full list of cloud services will clearly indicate your vendor is modern enough to not rely on outdated (and potentially less-secure) on-premise solutions, and unafraid to show that it securely uses several additional services to accomplish its typical tasks. Conversely, it would be more than a bit odd to see a vendor publicly list that it only uses a single cloud service such as Amazon Web Services...without the usual expected cadre of associated services, like error reporting or log management services.
- Always uses data minimization practices - It's a good idea to look for vendors that aren't careless with where and how long they hold your data. As hinted at above, vendors that fail to disclose the applications they'll use to process your data may choose not to (or may be unable to) lock ePHI data out of non-HIPAA-compliant apps. It's best to partner with vendors that actively practice data minimization by ensuring that your sensitive data will only be routed to compliant applications, and by limiting the length of time they retain your data overall.
By confirming that both your company and any vendors you work with cover all the bases in our HIPAA compliance checklists, you can ensure your company can pass a HIPAA risk assessment. And by confirming that any software applications you use are provided by HIPAA-compliant vendors, you can ensure your ePHI remains secure and is not at risk of a data breach - and that your company isn’t at risk of fines, criminal charges, or lawsuits.
For more information on HIPAA, please visit the HHS website.