HIPAA compliance for software products can be complicated. This guide will help.
If you're looking to build an application that handles personal health information (PHI), you'll likely need to comply with HIPAA, a United States regulation covering how healthcare data is handled by technology systems. It's important to note that there is no recognized certification by the United States Department of Health and Human Services for HIPAA compliance, and no certifying body that can produce a statement attesting to your compliance. This means that your organization is ultimately responsible for confirming that you're following the practices below. It's always a good idea to check with a lawyer if anything's unclear, as this article is a guide, not legal advice.
HIPAA requires users to follow the Security Rule, the Privacy Rule, and the Breach Notification Rule. Each of these items has a set of unique requirements, but can be summarized as two practical steps. First, your organization will need to follow a set of reporting, security, privacy and compliance behaviors outlined in each of those rules. These are organizational practices you're committing to follow. Second, you'll need to sign a BAA (business associate agreement) with your technology provider and anyone else you're doing business with who's handling PHI that flows through your application.
At what point in the application build process will I need to comply with HIPAA?
You will need to comply with HIPAA at any point where your application handles personal health information. In general, that means production systems will need to comply with HIPAA. Staging, testing, and development infrastructure that do not handle real personal health information generally do not need to comply with HIPAA. These systems shouldn't interact with production data for security and privacy reasons.
If you're building your application on Crowdbotics, your data is segregated between production and staging by default, so you don't need to worry about this distinction.
Moving to HIPAA on Crowdbotics
Crowdbotics runs a number of production applications in healthcare settings that comply with HIPAA.
If you're building an application on Crowdbotics, you can run move your application into the HIPAA compliant runtime in two easy steps.
1. Contact your account manager and request a copy of a Business Associate Agreement between you and Crowdbotics. This legal document executed between your organization and Crowdbotics is a requirement of HIPAA and attests to secure data-handling and notification practices.
2. Use the Crowdbotics dashboard to upgrade your application's plan to the Enterprise plan. This enables access to hosting infrastructure that complies with HIPAA requirements, including a BAA with the cloud hosting provider and secure data-handling practices. You should verify that your application is running in either AWS or GCP cloud infrastructure on Crowdbotics. These two platforms are covered by BAA agreements between Crowdbotics and Amazon or Google.
Security Best Practices
If you haven't already, we recommend that you turn on the following features in your application for increased security. These are not hard compliance requirements of HIPAA, but are recommended technical best practices for security.
- Logging and audit trails: This feature is available by default on standard Crowdbotics applications. You can access logs anytime from the Crowdbotics dashboard. Logs help you understand who is accessing data in your application and why. In the event of unexpected access or a request to audit your data, you can review logs to determine what occurred.
- User groups and access controls: This feature is available by default on Crowdbotics standard applications. You should make sure, via the Groups page on your application's admin panel, that you have restricted who has access to your platform's data, and that you've turned off any non-essential superuser and staff accounts.
- Automatic security updates: This feature is available by default on Crowdbotics standard applications.
- Password complexity and rotation requirements: We recommend setting up your application to disable common passwords and require changing passwords on a periodic basis.
- Multi-factor authentication: This feature can be installed from the screens page on the Crowdbotics dashboard. We recommend choosing Google Authenticator or another secure 2FA provider.
For further questions, contact your Crowdbotics account manager.