Thoughts on making web application HIPAA Compliant

by
Reading Time: 5 minutes

If you are a web application developer or provisioning an application for health care, this article will provide some information on what you should be focus to be compliance with the current healthcare regulations. In accordance with the HIPAA Privacy Rule any healthcare practice (or provider) should protect patient’s individual identifiable health information, often called Electronic Protected Health Information(ePHI).

This article talks about what is involved in complying with ePHI and how OfficeClip handles it.

[more]

What is included in ePHI?

The following information is included for each individual who gets any healthcare services:

  1. The past, present or future physical (or mental) health or diagnosis.
  2. The past, present or future provisioning of heath care.
  3. The past, present or future payment-related information for the provisioning of health care.
So, if you are storing these information into the a database or the files in the computer, these information may include (but not limited to):
  • Name
  • Address
  • Telephone & Fax
  • Email Address
  • Appointments with Providers
  • Ids such as Social Security Number, Medical Record Number, Insurance Ids etc.
  • Other numbers such as Account Number, license number etc.
  • Any Serial number e.g. Vehicle Serial Number, Device Identifier etc.
  • Web Url and IP (Internet Protocol) address
  • Images, finger print or voice print
  • Anything else that can identify the person uniquely
For example, if an email is sent to a patient with “Your next appointment is 3PM on Monday with Dr. Travis”, it will be ePHI because the patient appointment is protected information. There are still many gray areas on what constitutes to be ePHI. For example, if you are a physician’s office and send a newsletter to all your patients regarding diabetic treatment, it could be treated as ePHI. However, if they get the same information from a general website, that information is not ePHI.
Who is covered by HIPAA and ePHI security
  1. All HIPAA covered entities for example: Caregiver, Provider, Clearinghouse, Plan provider.
  2. All Business Associates of a HIPAA covered entity
  3. All Business Associates of a Business Associate of a HIPAA covered entity
for more information see HHS.gov website.
One issue with the HIPAA is that they are guidelines and recommendations and they do not explicitly says, for example, what data fields should be protected to be compliant. In general for an application like OfficeClip to be compliant, it must, at the minimum, protect all protected health information.
Application requirements for HIPAA compliance
According to Lux Scientiae blog, here are some of the things you need to secure:
  1. Transport Encryption when sending data via internet
  2. Backup and Recovery
  3. Authentication and Authorization
  4. Integrity, means data is not tampered or altered
  5. Storage Encryption, for database and files
  6. Disposal, data can be purged when not required
  7. Agreements with Business Associates, you have signed business agreement with whoever touches your data
How this works with a web application
  1. Transport Encryption: This requirement is pretty simple to implement. All you have to do is either limit access to your intranet or use SSL (secured socket layer or https:// protocol when accessing the application from outside).
  2. Backup and Restore: The web application should provide unattended backup and restore. Alternatively you can use the operating systems backup and database backup methods.
  3. Authentication and Authorization: This means only authorized personnel should have access to the the system and only that part of the system that the person is authorized to access. Note that within your organization you have to make sure that the person who has access to your website, web servers or emails should also be authenticated.
  4. Data Integrity: This means that the data cannot be tampered. It also means that if somehow the data is tampered, it becomes either useless or is flagged as tampered. These can either be achieved by using checksum or the data or using strong encryption on the data. Encryption on the data can be achieved by various means like SSL, AES, PGP etc. 
  5. Storage Encryption: Storage encryption is recommended if ePHI information is stored and retrieved from backups and is handled by multiple people. Many times people makes copies of disks in order to steal information or for other nefarious purposes. In windows operating system you can enable Bitlocker Encryption (Windows 7 or higher) and encrypt the whole disk or individual folders.
  6. Disposal: When the information is no longer necessary, it needs to be disposed beyond recovery. You need to consider all the places where you have information to dispose when it is not longer needed. Again there is no hard and fast rule here and you need to decide what you want to keep or dispose. 
  7. Contracts with Business Associates: Anybody who you do business with and touches the ePHI information needs to have an agreement with you saying that they follow the same or more stringent security rule that you follow. This includes web site providers, data providers etc. Note that if you are hosting your web server to some third party bulk service provider, you need to find out from them if they have all the infrastructure as mentioned in this article. Will they give you guarantee that after you close your account, they will delete all your information from their backups? If you host it yourself, for example, in a private cloud server then you have more control on these procedures.
How OfficeClip handles it?
Currently the cloud version of OfficeClip cannot guarantee HIPAA compliance. You will to have acquire an installed version of OfficeClip and follow the rest of the article for compliance. Lets consider each of the above points:

  1. Transport Encryption: Make sure you buy a SSL certificate for the OfficeClip site and install it in IIS.
  2. Backup and Restore: OfficeClip provides a backup and restore application that can run in the background. You may also use Windows Backup, Sql Server Backup or any third party backup software.
  3. Authentication and Authorization: OfficeClip software can be accessed by password protected login. OfficeClip administrators can fine-tune access using roles and privileges.
  4. Data Integrity: Please see the next section. 
  5. Storage Encryption: OfficeClip installs on Windows server and IIS. In windows operating system you can enable Bitlocker Encryption (Windows 7 or higher) and encrypt the whole disk or individual folders. It is recommended that you put OfficeClip installation, database and document repository inside bitlocker.
  6. Disposal: Using an application like OfficeClip, it is much easier to dispose information because most of the information is stored in an optimized database. Note that some part of the information may be stored in your private emails, backups etc. which OfficeClip cannot manage. So you need to have procedures in place to manage this. In OfficeClip some information like employee information, notes etc. are not removed unless some special procedures are in place, while other information like patient information, contact information, account information etc. can be removed by deleting the main record.
  7. Contracts with Business Associates: You must ensure this with the service provider where you install OfficeClip. If you install it in your own premises or in the Amazon Cloud Server, then this process is simplified.

Disclaimer

  • Stock Photo: Creative commons attribution: Flickr
  • The information given in the article may not be current and many not be complete. You are advised to do your own research while implementing these policies.