MedStack's compliance section is authored by Abner Weintraub, a 20-year HIPAA compliance expert, owner of ExpertHIPAA.com
What is HIPAA and who does it govern?
HIPAA is the primary U.S. national law governing the privacy and security of health information. HIPAA applies to all direct medical providers, such as clinics and hospitals, and to third parties like app developers who's systems receive, store, process or transmit individually identifiable, personal health or health-billing data. HIPAA law does not apply to private citizens unless they work in some healthcare or associated capacity.
Who enforces HIPAA and how?
HIPAA is officially enforced by the Office for Civil Rights (OCR), part of the U.S. Department of Health & Human Services (HHS). In addition, the recent HITECH Act gave all fifty U.S. State Attorneys General new powers to enforce HIPAA. Enforcement actions range from compliance audits to full investigations of alleged violations, and can result from complaints, reported breaches, whistleblowers and media reports. Penalties for recent HIPAA violations have ranged hundreds of thousands, to many millions of dollars.
What kinds of activities, data and practices does HIPAA govern?
HIPAA regulates virtually all uses and disclosures of individually identifiable health data in all forms: paper, film, and all digital media, such as audio and video recordings and photographs. HIPAA defines, regulates and safeguards so-called "Protected Health Information" (PHI). Apps that contain PHI in any form or format likely have HIPAA compliance obligations, regardless of the nature of the app.
Why does an app maker have to worry about compliance?
Full compliance with HIPAA helps lower overall risk, as HIPAA's technical requirements are based on accepted information technology "best practices." Failure to comply with HIPAA law when required can result in large financial penalties, negative publicity and legal actions from the OCR or the U.S. courts. If a data breach occurs, an app developer may be financially liable for any resulting damages, legal fees, and other expenses, not to mention bad publicity that could damage a start-up's chances of success.
What does an app maker have to do to be compliant? And maintain it?
HIPAA compliance involves a variety of administrative, physical and technical requirements. Everything from office and administrative functions, to the technical elements of hardware, software and networks are impacted if PHI is in the system. Risk assessment, policies and procedures, and HIPAA training are all required. App makers under HIPAA must also sign legal agreements, called Business Associate Agreements, with health entities who provide PHI to them. These agreements limit certain uses and disclosures, and provide for other privacy and security controls over PHI.
Where can one go to learn more?
For general information and guides, visit The U.S. Office of Civil Rights.
For technical requirements, visit the National Institute of Standards & Technology (NIST) and search "HIPAA".
For a detailed summary of of HIPAA requirements, download the free 2016 HIPAA Final Rule Summary at www.ExpertHIPAA.com.