How to Make Your Telemedicine App HIPAA-Compliant

• (If you outsource telemedicine app development, modernization, or compliance testing) Sign a Business Associate Agreement (BAA) with the service provider who will have access to PHI.
• Assign a compliance consultant to monitor the development process. Outsourcing compliance consulting is a viable option if you do not plan to hire an in-house consultant.
• Confirm that the discovery team has sufficient experience in HIPAA-compliant software development to accurately translate your compliance requirements into software requirements.
• Ensure that the team members keep complete documentation of the process (detailed telemedicine software architecture, risk management practices, security testing records, etc.).
• Design the matrix of access rights and permissions based on telemedicine software user roles (patients, medical professionals, administrators).

• Design the app’s IT infrastructure to be secure and highly redundant to ensure data security, availability, and integrity in line with the HIPAA rule.
• Utilize HIPAA-compliant cloud services (e.g., Azure or AWS) that offer scalable data storage.
• Protect the networks with firewalls, anti-malware, and IDS/IPS.
• Enable data encryption at rest and in transit.
• Use secure communication protocols (e.g., SSL/TLS) to protect data in transit.
• Implement mechanisms that will automatically delete messages after a specified retention period.
• Provide features like message recall and self-destruct to allow users to remove sensitive data quickly if sent on accident.
• Utilize encrypted video codecs (e.g., VP9, H.264) to protect the privacy of telehealth conversations.
• Enable strict access controls such as multi-factor authentication and automatic logoff. Mobile telemedicine apps can use facial recognition or fingerprint scanning.
• Implement audit controls to record any interactions with ePHI.
• Set up integrity controls to protect ePHI from improper alteration or destruction.
• Create a break-glass account for emergency access to sensitive patient information and data backup and recovery mechanisms.
• Create mechanisms to identify and notify users about PHI breaches. For instance, machine learning algorithms can automatically scan the app for unusual activities and send alerts in case of abnormalities.
• Choose a HIPAA-compliant payment solution (e.g., Square, PaymentCloud).

Verifying HIPAA compliance of telemedicine software is not a one-time procedure. Only continuous measures can ensure the security of a telehealth application and all transmitted and stored data. ScienceSoft suggests regularly conducting the following activities:

• Vulnerability assessment and penetration testing of the telemedicine app and its infrastructure. Conduct penetration tests at least once a year.
• Automated code review to reveal data encryption errors, cross-site scripting vulnerabilities, and other potential attack vectors.
• Manual assessment of auditing, logging, data validation mechanisms, communication security, etc.
• Verifying obfuscation and serialization filtering.
• Simulating SQL and script injections.

• Provide users with guidelines on secure telemedicine software operation and privacy protection.
• Examine the data security of your telemedicine application and its compliance with HIPAA regularly.
• When the software is modified, update its documentation accordingly.
• Simulate social engineering attacks to confirm employee vigilance and knowledge of best cybersecurity practices.

A HIPAA assessment is usually conducted before the software launch. However, ScienceSoft’s compliance experts also recommend it for live telemedicine apps if there have been significant software modifications, security incidents, or changes in HIPAA regulations. We suggest including the following activities in the pre-audit:

• Conducting vulnerability assessment and penetration testing.
• Confirming that obfuscation and serialization filtering are implemented.
• Evaluating access and integrity controls.
• Assessing data validation mechanisms.
• Checking if communication is secure and audit logging is proper.

• Modifying the documentation according to the introduced changes (if applicable).