How to Make an App HIPAA-Compliant
Process and Best Practices
With more than 150 healthcare IT projects delivered, ScienceSoft helps its clients to achieve and maintain HIPAA compliance.
Software HIPAA Compliance in a Nutshell
Making apps HIPAA-compliant involves implementing technical safeguards on several software layers, including architecture, data handling mechanisms, code, and design elements. It is a must for any US-targeted app that stores, processes, or transmits electronic protected health information (ePHI). Violating the Security or Privacy Rule can result in breaches affecting thousands of people and severe fines. For example, in 2019, a flaw in the software of an internal application of Texas Health and Human Services Commission (TX HHSC) resulted in the 6,617 individuals' sensitive data being exposed over the internet. The agency had to pay $1.6 million for non-compliant software usage.
Key steps to make an app HIPAA-compliant
- Elicit compliance requirements and make a HIPAA-compliant project plan.
- Implement technical safeguards.
- Evaluate the app’s security.
- Maintain compliance after deployment.
- Carry out HIPAA compliance pre-audits.
With 19 years of hands-on experience in healthcare IT and 21 years in cybersecurity, ScienceSoft helps its clients prevent non-compliance. Use our free calculator to estimate the cost for your case.
A Guide to Achieving HIPAA Compliance in Software
ScienceSoft's consultants have compiled a checklist with tasks to be completed at each stage of the software development lifecycle to make HIPAA-compliant apps.
1.
Discovery and project planning
The first step is to figure out if the app's going to require HIPAA compliance at all.
If the answer is "yes", then before initiating the development, it's important to take care of the following procedures:
- (If you outsource app development, modernization, or compliance testing) Sign a Business Associate Agreement (BAA) with service providers who have access to PHI.
- Appoint a compliance consultant overseeing the development process or outsource compliance consulting to a competent vendor.
- Ensure all the discovery team members are experienced in translating compliance requirements into software requirements.
- Prepare the development team to keep exhaustive documentation of the process (detailed software architecture, encryption methods, access policies, etc.).
- Plan the main software user roles (patients, physicians, admins) and the corresponding access rights and permissions.
Clinical-use apps handling PHI must comply with HIPAA. This includes apps prescribed by healthcare providers for managing specific conditions, even if focused on general well-being. For instance, healthcare providers may prescribe meditation apps, e.g., to help alleviate post-surgical pain or chronic pain in fibromyalgia or osteoarthritis.
However, when the user manages the data without any involvement of health care providers (HCP) and the app vendor is not providing the app on behalf of HCP, then it may not be required to follow HIPAA regulations. For example, the consumer downloads a health app to manage their chronic disease or fill in blood glucose levels and blood pressure readings obtained with home health equipment. If there's no HCP involved and the app vendor is not creating, receiving, maintaining, or transmitting PHI on behalf of a covered entity or another business associate, HIPAA compliance is not required
2.
Infrastructure preparation and development
- Ensure secure and highly redundant infrastructure. If you're using cloud services, choose a HIPAA-compliant provider (e.g., Azure or AWS).
- Install and configure firewalls, anti-malware, IDS/IPS to secure the networks.
- Enable at-rest and in-transit data encryption.
ScienceSoft's tip: Sometimes, when at-rest encryption is enabled on the application level, it can affect the app's performance, so file-level or block-level encryption may be a better alternative. - Implement access controls such as user authentication and authorization, automatic logoff, etc. For instance, for HIPAA-compliant mobile apps, biometric authentication can be enabled.
- Create a break-glass account for emergency access to sensitive patient data, as well as data backup and recovery procedures.
- Integrate audit controls to record any interactions with ePHI.
- Ensure secure communication protocols to protect in-transit data.
- Implement integrity controls to prevent improper ePHI alteration or destruction.
- Provide mechanisms for identifying and notifying users about PHI breaches, e.g., ML-powered scanning of the app for unusual activities.
3.
Security check
ScienceSoft recommends regularly carrying out the following activities:
- Using the roles matrix to evaluate the risks related to different operations (viewing, adding, deleting, and modifying ePHI)
- Conducting the vulnerability assessment and penetration testing of the app and its infrastructure.
- Performing an automated code review to reveal encryption errors, cross-site scripting vulnerabilities, etc.
- Manually assessing the auditing, logging, and data validation mechanisms, the security of communication, etc.
- Checking if the obfuscation and serialization filtering are in place.
- Simulating SQL and script injections.
There are cases where healthcare software already in use needs to be tested for HIPAA compliance again after undergoing significant changes (say, you added new features or migrated a legacy solution to the cloud). For increased security, ScienceSoft uses mock test data instead of real ePHI when testing such software for HIPAA compliance.
4.
Maintaining compliance after deployment
- Prepare user guides on how to operate the software without endangering ePHI.
- Carry out regular security and HIPAA compliance checks.
- If any changes are introduced to the software, revise and update documentation accordingly.
5.
HIPAA compliance pre-audit
It can be conducted before deployment or at any stage of the application lifecycle before the upcoming audit. ScienceSoft's compliance consultants recommend including the following activities in the pre-audit:
- Vulnerability assessment and pentesting.
- Checking audit logging.
- Verifying the presence of obfuscation and serialization filtering.
- Evaluating data validation mechanisms, the security of communication, etc.
- Access and integrity controls assessment.
- Checking if any medical software functionality changed after deployment and modifying the documentation accordingly.
Check How ScienceSoft Achieves HIPAA Compliance
About ScienceSoft
- 21 years in cybersecurity and 19 years in healthcare IT.
- 150+ successful healthcare IT projects.
- ISO 13485, ISO 9001, and ISO 27001 certificates.
- Hands-on experience with HIPAA, GDPR, FDA, ONC, MDR, SAMHSA, CEHRT, and SAFER regulations.
- Proficiency in healthcare standards such as HL7/FHIR, ICD-10, LOINC, CPT, XDS/XDS-I, FHIR, DICOM, Blue Button+, CDA, and CCD.
- 3-year champion in the Financial Times' rating of Americas' fastest-growing companies.
- #1 in Healthcare Software Development, according to the Black Book™ 2023 market survey.
What makes ScienceSoft different
We achieve project success no matter what
ScienceSoft does not pass mere project administration off as project management, which, unfortunately, often happens on the market. We practice real project management, achieving project success for our clients no matter what.
Sourcing Models for HIPAA-Compliant Software Development
In-house HIPAA-compliant software development
- Full control over the project.
- Risk of poorly translating HIPAA requirements into software requirements due to the lack of expertise.
Team augmentation
- Access to highly qualified specialists in HIPAA-compliant software development, opportunity to scale up or down the resources when needed.
- Need for efficient management and smooth communication between the teams.
Fully outsourced HIPAA-compliant software development process
- The vendor is fully responsible for the delivery of a HIPAA-compliant app.
- High vendor dependency.
Note: The compliance assessment of the existing software can be conducted by a self-managed team of a PM, a compliance consultant, and one or several security engineers, depending on the app's complexity.
Technologies ScienceSoft Uses to Develop and Evaluate HIPAA-Compliant Software
Development and Compliance Check Costs
Key factors to consider when creating HIPAA-compliant apps:
- Software type (telemedicine, RPM, EHR, etc.) and scope.
- Platform (web, mobile, desktop).
- User roles (patients, doctors, nurses, etc.) and the expected number of users.
- Integrations (e.g., with EHR, wearables, etc.).
- Additional compliance requirements (GDPR, FDA/MDR regulations, etc.).
- Performance, security, usability, and accessibility requirements.
- Required software maturity (an MVP or a fully-featured solution).
- Sourcing model (in-house vs. outsourcing).
The costs of HIPAA-compliant app development may vary from $40,000 to $2,000,000+. Below are some sample cost ranges for popular software types:
From $40,000
for a HIPAA-compliant patient app not integrated with EHR, e.g., for medication intake management
From $200,000 to $400,000
for telemedicine software
From $200,000 to $400,000
for remote patient monitoring or medical device software
From $300,000 to $800,000
for a digital therapeutics solution
From $400,000 to $2,000,000+
for EHR software
The cost of a HIPAA compliance pre-audit ranges from $10,000 to $25,000.