HIPAA sets forth important guidelines relating to the privacy and security of personal health information. If you’re a software developer building healthcare apps, it’s critical that you understand HIPAA and its Privacy and Security rules.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law enacted in 1996 that protects patient health information from being disclosed without the patient’s consent or knowledge. More specifically, the law was created to:
- Improve the flow of sensitive healthcare information
- Specify how personally identifiable information (PII) should be protected
- Address limitations on healthcare insurance coverage
HIPAA compliance for software developers
HIPAA consists of five sections. Each section, or title, addresses a specific component of the act. This article focuses specifically on Title II, known as the Administrative Simplification (AS) provisions, which is the crux of HIPAA compliance for software developers. These provisions were introduced to:
- Establish national standards and unique identifiers for healthcare providers, employers, and health insurance plans
- Set up policies and procedures for maintaining the privacy and security of protected health information (PHI)
- Create programs that prevent healthcare fraud and abuse
To strengthen and enforce the AS provisions, the Department of Health and Human Services (HHS) initiated a series of rules. These rules apply to all “covered entities,” as defined by HIPAA and HHS. Two of the most important HIPAA rules for software developers to understand are the HIPAA Privacy and Security rules.
HIPAA Title II rules
The Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information. These standards address the use and disclosure of protected health information (PHI) by covered entities. A covered entity may not use or disclose PHI, except either as the Privacy Rule permits or requires; or by obtaining written authorization by the individual who is the subject of the information.
According to the rule, when a covered entity discloses any PHI, it must make a reasonable effort to disclose only the minimum necessary information required to achieve its purpose.
The Privacy Rule was created to protect an individual’s personal health information while still allowing the flow of health information needed to provide and promote high-quality healthcare. The rule is meant to establish privacy rights for individuals by empowering them to understand and control how their health information is used.
The Security Rule complements the Privacy Rule with a specific emphasis on protecting electronically protected health information (ePHI). While the Privacy Rule pertains to all PHI, the Security Rule requires appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI.
HHS guidance states that a major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. The Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ ePHI.
Transactions and Code Sets
Another goal of HIPAA is to make the healthcare system in the U.S. more efficient by standardizing healthcare transactions. Transactions are activities involving the transfer of healthcare information for specific purposes. Under HIPAA, if a health plan or healthcare provider engages in one of the identified transactions, they must comply with the standard for it, which includes using a standard code set to identify diagnoses and procedures. The Standards for Electronic Transactions and Code Sets adopts standards for several transactions, including claims and encounter information, payment and remittance advice, and claims status.
Identifier Standards for Employers and Providers
HIPAA covered entities are required to use a National Provider Identifier (NPI) to identify covered healthcare providers in standard transactions. An NPI is a unique 10-digit identification number for covered healthcare providers.
The Enforcement Rule contains provisions relating to compliance. The rule sets civil money penalties for violating HIPAA rules and establishes procedures for investigations and hearings for HIPAA violations.
Help with HIPAA compliance
HIPAA is a highly complex set of laws designed to standardize and modernize the flow of information in the healthcare industry – with a specific emphasis on protecting a patient’s privacy.
As healthcare providers collect and digitize more personal health data, covered entities and business associates increasingly will be held accountable for any data loss and security breaches that occur due to negligence. Therefore, it is imperative that software developers who work with healthcare providers have a thorough understanding of HIPAA and its role in safeguarding PHI across digital and cloud technologies. Need help with HIPAA compliance? Visit HHS or contact your legal team.
This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and Digital Scientists Inc., its members, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.