HIPAA Compliant Software Development

HIPAA compliant software development consists of developing software for the healthcare and health insurance industries that – when it is used by a HIPAA covered entity to create, receive, store, or transmit Protected Health Information – will support compliance with all applicable standards of the HIPAA Administrative Simplification Regulations.

In recent years there has been a growing demand for HIPAA compliant software development driven by the COVID-19 pandemic, CMS’ Promoting Interoperability program, and – most recently – HHS’ proposals to update the HIPAA Security Rule. The growing demand has prompted some vendors to refactor existing software and market it as being HIPAA compliant.

However, HIPAA software compliance consists of more than access controls and encryption. HIPAA compliant software must, at a minimum, include capabilities that support end user compliance with the HIPAA Administrative Safeguards (45 CFR §164.308) and any related regulatory requirements – such as CMS’ Emergency Preparedness Rule.

In addition, if a vendor has persistent access to Protected Health Information (PHI), they must implement measures to safeguard the confidentiality, integrity, and availability of PHI received by, sent by, or maintained in their own systems. These measures include physical safeguards, workforce HIPAA training, security incident preparedness, and contingency planning.

HIPAA Requirements for Software Development

The HIPAA requirements for software development vary depending on whether the end product will be hosted in-house (by the HIPAA covered entity), hosted by the vendor with transient access to PHI, or hosted by the vendor with persistent access to PHI. They can also vary depending on whether subcontractors are used in the provision of the service.

If the end product is hosted in-house or the vendor only has transient access to PHI, the HIPAA requirements for software development are the minimum requirements discussed above. However, if a vendor has persistent access to PHI (including “no view” persistent access), they – and the software – must comply with all applicable HIPAA Administrative Simplification Regulations.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

With regards to Business Associate Agreements, it is not necessary for a vendor of HIPAA compliant software to enter into a Business Associate Agreement with a HIPAA covered entity if the software is hosted in-house or if the vendor has transient access to PHI. This is because any PHI disclosed to the vendor is temporary and incidental to the software’s functions.

Conversely, if a vendor has persistent access to PHI, it is necessary to enter into an upstream Business Associate Agreement with the HIPAA covered entity and downstream Business Associate Agreements with any subcontractors used in the provision of the service (i.e., Microsoft, AWS, Google, etc.) if downstream subcontractors have persistent access to PHI.

Certified HIPAA Compliant Software Development

As the demand for HIPAA compliant software development has grown, the number of software vendors, mHealth app developers, and IT consulting companies has also increased – some better at developing HIPAA compliant software than others. HIPAA covered entities are aware of the inconsistencies in HIPAA software compliance, but often do not have the resources to conduct due diligence or evaluate dozens of options before subscribing to a service.

One way in which software vendors, mHealth app developers, and consulting companies can get noticed by prospective customers is to get their software certified as HIPAA compliant. Often this is a relatively short process that can be used to identify vulnerabilities or areas in which the software is not fully compliant – giving developers an opportunity to improve the software and ensure the security of PHI created, received, stored, or transmitted by it.

It is also worth noting that, although at present the certification of HIPAA software is not a requirement of HIPAA, proposals exist in HHS’ update to the HIPAA Security Rule that require business associates to annually verify that they have deployed the necessary technical safeguards to protect PHI. The verification must be provided by a subject matter expert, who must certify that an analysis of the safeguards has been performed and is accurate.

Vendors, developers, and consulting companies who require more information about HIPAA compliant software development, the certification of HIPAA software, or the proposals to require annual recertification are advised to speak with an independent compliance professional.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/