For most the answer is that HIPAA does not apply. HIPAA only applies to a small number of entities which are "Covered Entities" which are typically in the hospital and healthcare fields. There are also organizations that provide services to Covered Entities and are referred to as "Business Associates". The HIPAA regulations are very clear that most Business Associates are required to comply with HIPAA. However, most companies in nonregulated industries would derive significant value from the privacy and security processes and procedures that HIPAA mandates. In today's new world of cyberthreats in the form of hacking and malware an organization can never be too careful. The Federal Trade Commission (FTC) has sued numerous nonregulated organizations because they failed to take common security precautions such as keeping their IT systems updated and could not detect and respond to network intrusions. The typical result of lax cybersecurity are data breaches resulting in the theft of private customer records in the tens of millions including credit card numbers.
HIPAA-Compliant Web Apps
In recent years, there has been a surge in the number of health apps being developed and there is no indication that this will slow down anytime soon. Moreover, with the spread of HIPAA compliant home speaker devices like Alexa, it has become extremely important to understand when apps are subjected to HIPAA compliance.
In a recent presentation to the Senate Cybersecurity Caucus, Jennifer Bordenick, CEO of eHealth Initiative & Foundation stated that there are many myths and misinterpretations of HIPAA. Bordenick states that one of the biggest and most problematic is the common belief that "HIPAA protects all of your healthcare data." In fact, HIPAA compliance is circumstance specific and differs from case to case. Accordingly, there are some well-established rules that help developers & providers determine whether an app must comply with HIPAA or not.
Web App HIPAA Compliance Not Needed
Compliance, or lack thereof, is determined by a number of things including the app's purpose, type of access, the way data flows through it and how it is branded.
Apps that are for personal use only
For example, if the app's purpose is to allow users to collect their own data for their personal use, it does not have to be HIPAA compliant. In such cases, the app developer is not receiving, managing or sharing that data for a covered entity or its associates.
Apps that patients use to monitor their own conditions to share with their providers
The aforementioned ruling also applies even in instances where patients download apps that monitor their health and send the reports to their healthcare provider. As long as the user is the one who initiated data access, the app developer and provider do not need to be compliant. This kind of app provides direct-to-consumer services. Some apps offer the two versions; one that must be HIPAA compliant (for example if it is offered by a health plan) and another that provides the service directly to the consumer.
Apps in which the developer does not create, receive, maintain, transmit protected health information (PHI)
As a general rule, if an app developer is not managing data as a business associate (BA) on behalf of covered entities, their app does not need to be compliant.
Web App HIPAA Compliance Needed
"Generally, HIPAA covers data in health plans with healthcare providers that are conducting transactions, like claims transactions, billing, clearing houses and business associates," states Bordenick.
When an app contains protected health information (PHI)
PHI includes data about both the physical or mental condition of a patient, data that can identify an individual, demographic data, healthcare operations and billing information.
Health plans, transactions and clearing houses
If apps that manage PHI must be HIPAA compliant, then it is only natural that the same applies to apps that are offered by health plans and apps that manage any sensitive transactions, such as clearing house apps.
If an app developer is a business associate, they can determine their need for HIPAA compliance by answering the following questions:
Are your clients covered entities?
Are you funded or receive payment for your product by a covered entity or another BA contracted by a covered entity?
Do you create, receive, maintain or disclose any data related to a patient or health plan member?
If your answer is yes to any of the above, then HIPAA compliance is a must.
HIPAA Compliant Websites
In today's digital age, having a web presence is important in attracting potential patients to your health practice. Those operating within the healthcare industry must have HIPAA compliant websites to protect the information being collected from both current and future patients.
Should Your Website Be HIPAA Compliant?
If you answer yes to one or more of the questions that the Compliancy Group asks below, you should have a HIPAA compliant website.
Are you collecting Personal Health Information (PHI) on your website?
Are you transmitting PHI through your website?
Are you storing PHI on a server connected to your website?
How to Make Your Website HIPAA Compliant
Utilize SSL: Using a secure sockets layer on your website will ensure all information passing through your web server is secure.
Data Encryption: Data collected through web forms should be fully encrypted to avoid a risk of loss or theft during a potential breach.
Store data on a HIPAA compliant server: The security capability of a server plays an important role in patient data protection. HIPAA has specific requirements for server compliance, which all healthcare providers should familiarize themselves with and implement.
HIPAA-Compliant Website Checklist
Still not sure if your data protection is up to HIPAA compliance standards? Refer to this checklist:
All data collected and shared must be encrypted.
Back up all data provided by patients.
Patient health data needs to be recoverable.
Data collected should be free from alteration and should also be tamper-proof.
Data no longer required should be permanently deleted.
If your organization does not store or transmit PHI, then having a HIPAA compliant website is not necessary. Taking steps to ensure compliance with HIPAA web requirements is still recommended, in the case that PHI is dealt with in the future.
HIPAA Compliant Hosting Service
Hosting a website or service that adheres to HIPAA guidelines requires HIPAA compliant hosting. The Health Information Technology for Economic and Clinical Health Act (HITECH) was signed into law in 2009 and increases the scope of protections for individuals while increasing penalties against healthcare providers that do not implement a proper system to manage electronic health records. Simply put, HIPAA compliant web hosting involves technological safeguards that include methods of protecting, storing, disseminating and sharing electronic information across multiple platforms, servers, and devices.
Can I Manage the HIPAA-Compliant Hosting Myself?
Negligence of HIPAA compliance can result in fines that range from $10,000 to $50,000 up to a maximum of $1.5 million per violation per year. These numbers can be daunting for smaller healthcare providers to shoulder. This has created a greater incentive to ensure adequate hosting is in place.
Organization size and available resources can affect the ability to install and maintain a HIPAA compliant hosting solution in-house. In this case, these particular organizations must look to a third-party for a HIPAA compliant hosting solution that fits their budget, while meeting the requirements of the law.
HIPAA Hosting Compliance Checklist
Whether handling web hosting internally or outsourcing to a HIPAA compliant hosting service provider, HIPAA HQ provides a helpful list of areas to account for, including:
Documented data management, security & training plans
A system of developing unique user IDs, passwords and procedures for login/logout
Established and documented policies for the storage, transfer, disposal, and reuse of data
Policies in place to address data transmissions over the internet, through email, private networks, and clouds