HIPAA was written in 1996, pre-dating even the rise of the consumer Internet. Because of its dated language and wide-sweeping nature, HIPAA can be tough to decipher, creating confusion for developers who are attempting to determine both whether the app they’re building needs to be HIPAA compliant or not, and more importantly whether they have actually built a compliant application or not. Further, multiple changes to HIPAA privacy and security rules over the years has increased confusion.

Recent announcements from Apple and Google about their health app platforms have brought this topic back into the news, as more developers seek to develop apps for these platforms. One question that continually rises is the connection between application hosting and application compliance. With HIPAA compliant hosting available, does running an app from a HIPAA compliant hosting environment make the app itself compliant?

Not necessarily. Let’s explore why.

Does Your App Require HIPAA Compliant Hosting?

The first question to ask is whether or not your application needs HIPAA compliant hosting or not. Not all apps have to be HIPAA compliant, and the decision is based on a couple of factors, such as who will actually be using the app and what type of information will be stored on it.

To determine if you even need to consider HIPAA compliant hosting, ask these important questions:

* Who will use the software? If it’s a HIPAA-covered entity (physician, nurse, hospital, medical center or insurer) then the app must also be HIPAA compliant.

* Will it store, or transmit personal health information (PHI or ePHI)? If it’s personally identifiable information, then the app must be HIPAA compliant.

For more information on when your app needs to be HIPAA compliant read When HIPAA Applies to Mobile Applications. Your answers to these questions will enable you to determine whether or not your app must meet HIPAA compliance standards or not. If you do need to be HIPAA compliant you’re going to need more than HIPAA hosting to meet the requirements of the law.

The HIPAA Security Rule is broken down into three main elements: Administrative Safeguards, Technical Safeguards and Physical Safeguards.

In order to be HIPAA compliant, your application must meet all three requirements.

Requirements of HIPAA Compliant Hosting

Most HIPAA compliant hosting providers only meet the requirements dictated under the Physical Safeguards section of the security rule. They do not provide compliance under the Administrative or Technical Safeguard requirements. HIPAA compliant hosting providers typically provide the following elements of compliance around Physical Safeguards, including: Facility Access Controls which include: Contingency Operations to establish and implement procedures that allow access in support of restoration of lost data in the event of a disaster or emergency.

* A Facility Security Plan that includes policies and procedures to safeguard the facility and the servers, etc. from unauthorized physical access, tampering and theft.

* Access Control and Validation Procedures to control and validate access to the facilities, including visitor control, and control of access to software programs on the servers.

* Maintenance Records that document repairs and modifications to the physical components of a facility related to security (e.g. hardware, walls, doors, and locks).

* Workstation Use policies and procedures that specify the functions to be performed and the manner in which they are to be performed, as well as the physical attributes of the surroundings of specific workstations or class of workstation that can access ePHI.

* Workstation Security including physical safeguards for all workstations that access ePHI, in order to restrict access to authorized users only. Device and Media Controls including: Disposal policies and procedures to address the final disposition of the hardware or electronic media that stores ePHI, such as hard drives, etc.

* Media Re-Use procedures for removal of ePHI from electronic media before the media are re-used.

* Accountability by logging all movements of hardware and electronic media and documenting all people responsible for the transportation of that hardware.

* Data Backup and Storage to create a retrievable, exact copy of ePHI, when needed, before movement of equipment. HIPAA Hosting Checklist These requirements are typically distilled down into a checklist of features that come standard with most HIPAA compliant hosts such as:

  • A fully implemented firewall on all systems.
  • Two-factor authentication for access control on everything from control panels to CMS to any other server-side software.
  • External data redundancy and off-site backup.
  • SSL access and up-to-date SSL certificates, including SSL VPN access and encrypted VPN sessions.
  • Private hosting environment for servers holding protected health information.
  • Business Associate Agreement (BAA) signed with application developers.
  • Policies and procedures that outline how, when and who can access the servers at the hosting facility including staff logs, identify verification and more.

If a Web host meets these requirements, then they provide a HIPAA-compliant environment for hosting application data. However, as the application developer, you are still required to address the Administrative and Technical Safeguards required by the HIPAA rules in order to be fully compliant.
HIPAA Compliant Apps Need More Than HIPAA Compliant Hosting

If you’ve secured HIPAA compliant hosting you’ve effectively solved for one third of the HIPAA compliance equation, but you still need to ensure that you’ve met the Technical and Administrative safeguards outlined in the rule to be fully compliant. Technical Safeguards Required By HIPAA are Not Included in HIPAA Hosting The technical safeguard requirements include the following features.

Access Control requirements including:

  • Unique User Identification to assign a unique name and/or number for identifying and tracking user identity in your application.
  • Emergency Access Procedures that establish (and implement as needed) the steps for obtaining necessary ePHI during an emergency.
  • Automatic Logoff that terminates an electronic session after a predetermined time of inactivity.
  • Encryption and Decryption mechanisms that encrypt and decrypt ePHI within your application.

Transmission Security requirements including:

  • Integrity Controls including security measures to ensure that electronically transmitted ePHI is not improperly modified without detection.
  • Encryption mechanisms to encrypt ePHI whenever appropriate.
  • And finally a variety of other controls including:
  • Audit Controls for hardware, software, and/or procedural systems including mechanisms that record and examine activity that contain or use ePHI.
  • Mechanism to Authenticate ePHI that validates that ePHI has not been altered or destroyed in an unauthorized or unexpected manner.
  • Authentication procedures to verify that a person or entity seeking access to ePHI is the one claimed.

Even when using HIPAA hosting, you’ll still need to build the systems to cover the above in order to ensure you’ve met the Technical Safeguards requirements. HIPAA Hosting is One Part of a Larger Compliance Program Hopefully it’s clear now that just because one element of your app, such as the hosting provider, has HIPAA compliant safety standards in place, doesn’t mean your application has met the requirements of HIPAA compliance. You absolutely cannot depend on HIPAA compliance from a hosting provider to cover your app’s compliance needs.
Instead, you must first determine if your application needs to be HIPAA compliant, and if so, take the proper steps at the Administrative, Technical and Physical levels to meet the requirements of the HIPAA Security Rule.

The penalties for noncompliance are stiff—it’s not worth the risk of just settling on a HIPAA-compliant host as the basis for your app compliance. Take the proper steps to meet all requirements before launching your application to ensure you don’t run into any compliance issues down the road.  

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access