25 June 2019
If your business deals with health data in the U.S., you need to learn about the Health Insurance Portability and Accountability Act (HIPAA).
This article will describe what HIPAA law is (contents of law) so you can determine whether your website or app is controlled by it.
There's also an HIPAA compliance checklist available to help you find the best approach to meeting your obligations.
President Bill Clinton signed HIPAA in 1996.
Its enactment increased the use of electronic medical records which started the development of new online services and apps for accessing this data.
Along with making records more accessible, especially to patients and workers under group health insurance programs, it also enacted new privacy controls.
The primary purpose of HIPAA was to make it easier for workers in the U.S. to keep their health insurance when they changed or lost jobs.
This is covered in "Title I" of the act concerning access, portability, and the renewal process. Employers and health insurers must comply with notice requirements that keep workers informed as they make work transitions.
These provisions also required health insurers and health care providers to make information accessible to workers and patients. This encouraged the further development of electronic records which were not widespread in 1996.
As this started to change, electronic records required new means of protection, which gave way to new rules for protecting the privacy of this information.
While the provisions in "Title I" of HIPAA law were effective immediately, the privacy provisions did not become effective until 2003 due to the technological limitations.
"Title II" of HIPAA, also known as the Privacy Rule, enacts these requirements. As a developer of a website and/or mobile app, this is the part of HIPAA that affects your website or app.
The Privacy Rule protects "Protected Health Information" or "PHI". This includes:
Health information that does not identify an individual is exempt.
For example, if you have an app that shares anonymous study results between medical professionals, that would not be subject to the Privacy Rule of HIPAA.
The Privacy Rule is more concerned with health conditions and individuals identities being linked.
Health plans, health care clearinghouses, and any healthcare provider who uses electronic records must comply with HIPAA. If you are a developer employed in-house with an entity that falls under these categories, you likely already incorporated HIPAA in your everyday tasks.
These are the entities that handle health data directly.
Kaiser Permanente is a larger health insurer in the U.S. They are also very innovative with online solutions that allow patients to pay premiums and bills online, email their doctors, and access lab results and medical records.
The "Privacy Statement" page of Kaiser Permanente makes it clear to users that they are entitled to protection under HIPAA while also integrating other notices they will receive as they use the services:
Providence Health and Services is another larger insurer that offers online access through a tool called myProvidence. In the User Agreement page for this service, it refers to HIPAA in its dispute resolution clause:
As insurers and health care providers, Kaiser Permanente and Providence are obvious targets of the HIPAA Privacy Rule.
However, the Privacy Rule of HIPAA also includes business associates of health insurers and providers. That is where as an independent developer you can still be held responsible for these requirements.
In addition to the parties that handle the data directly, HIPAA also extends to business associates. These are third parties that include people and entities who perform functions for or on behalf of the covered entities, including independent contractors.
If your website or mobile app serves clients in the health field, you likely qualify as a business associate.
A website or a mobile app that helps patients make appointments and access their stored records, for example, often means having access to that information. For that reason, you need to follow the requirements outlined in HIPAA.
Likewise, if your website or app sends data to a hospital or clinic, like with patients emailing doctors, you will have to take HIPAA-compliant measures.
The same is true if your service helps medical professionals collaborate on patient treatment.
Basically, the standard is: if you enable communication or exchange between health professionals or between these professionals and their patients, you need to follow HIPAA.
For example, Med-IT offers a web service for health professionals to access records. It explains this purpose in its secure login screen:
Med-IT is a business associate since it offers a way for professionals to access records. That is why it must maintain HIPAA compliance even though its primary business purpose is not directly providing healthcare or health insurance.
Amazon Web Services offers cloud compliance services regarding HIPAA to Orion Health, HealthCare.gov and many others who provide insurance and health care to Americans. Amazon also provides white papers to its healthcare cloud clients on how to use its services in a compliant matter.
Amazon offers these services clearly on its first page, although there are no HIPAA references in its agreements:
Amazon also makes its duties well-known. It admits that it is a third party business associate that must comply with HIPAA. In its FAQ, it describes this duty and even agrees to sign contracts indicating this relationship:
Amazon's direct involvement with HIPAA issues requires this transparency. Other entities that share information offer HIPAA provisions more as a precaution.
Fitness apps (mostly mobile apps) are different because the information is not provided as an official diagnosis by a healthcare provider. The data recorded by these apps is provided by the user or a device they purchased.
If your website or mobile app helps users record their own data either manually or through a device, you do not fall under HIPAA.
Google Fit, Wahoo, and Fitbit do not mention the law in their documents and there is no legal precedent that holds them to it. However, if any of these apps started collaborating with users' primary physicians or take a role in diagnosis and treatment, you will likely see more attention towards HIPAA compliance.
Also, if you decide to add a feature that transmits fitness data from users to their medical providers, you will have to consider HIPAA.
As long as you limit your app to users recording their own data, you do not need to be worried about HIPAA.
When HIPAA passed in 1996, there were no smartphones and accessing records online was only beginning. As technology evolved, the interpretation of HIPAA changed to match these changes.
One of these issues regards to cloud services that can be accessed online or through an app.
Medical clinics, from nursing homes to dentists to general practitioners, all must have Privacy Policies in place that are HIPAA-compliant because they collect and maintain health information for their patients.
Here are a number of examples of how medical clinics place, locate, and link to their HIPAA Privacy Policies on their websites.
The name doesn't matter, so long as it is clear that "HIPAA" and "Privacy" is the subject matter of the respective legal page
Example from Phelps Memorial Hospital Center
Phelps Memorial Hospital Center places a link to its HIPAA Privacy Notice in the footer of its website. This makes it easily accessible from and prominently placed on every page of the website:
Phelps' legal notice is also accessible from the "Patient and Visitor Info" menu bar:
And on its left side menu bar:
Example from Floyd Memorial Hospital and Health Services
Example from AmeriHealth
Example from Delta Dental
Example from University of Denver
A link is also placed in the "Quick Links" section that's located on the bottom half of every page. This location helps users find the link quickly and easily, and also shows its importance.
Example from Washington Radiology Associates
Before you start designing an HIPAA compliance program and change your agreements to reflect it, consider these potential security problems and how they affect your online service or app:
Even if your service is only available online and not through a mobile app, keep in mind that laptop computers get stolen and many users have tablets that they use like a computer.
This makes your service just as portable as if you created a mobile app and just as easy to compromise.
Therefore, you will want to implement the following practices whether you provide a mobile app, online service or both:
Unique user identification.
Every user needs to have a login name or number to make it easy to identify and track them. Attempt to move away from obvious login information like first and last names.
Create unique identifiers that are not simple to guess.
Emergency access procedures.
While you want the information locked up tight, it should still be accessible by authorized medical and emergency personnel. Create a system where this is possible yet make it secure.
You have to comply with HIPAA but also meet the needs of your clientele.
Many privacy issues can be avoided if apps or online services contain an automatic logoff. Fifteen minutes of inactivity is the standard but users may prefer to keep that window shorter or longer.
Encryption and decryption.
You want to encrypt PHI whenever possible as that reduces inappropriate access and use.
However, you want to assure that authorized users will not discover gibberish when they look up this information during a medical event.
This includes processes that examine and record activity when PHI is accessed.
Hardware, software, and procedural guidelines should record who accesses the information, the purpose for the access, and the health conditions examined through the records.
Login information can be stolen.
For the most sensitive information, include additional steps such as thumbprint readers, additional personal questions to the user, and any other steps to assure the one accessing the data is authorized.
Limit who may modify information or change its privacy settings.
If there are modifications, set up a detection method so another authorized person is notified of what just occurred.
Review your agreements.
Another option is to create separate HIPAA documents or perhaps a clearly worded FAQ. There are many options described here from minimalist to overkill.
As with any other policy, it depends on your level of risk adversity.
Now that you have an idea of how these legal agreements, the Privacy Policies, can be linked to a website that collects and uses health data of users, and how they can be titled differently, let's take a look at how the agreements themselves are structured.
Note that these clauses or disclosures may be named differently from agreement to agreement, and some agreements may include additional clauses, depending on various factors: business model of the company, additional health data collected etc.
The "Introduction" disclosure doesn't have to be labeled as such, but it can be.
It's usually used as a quick summary of the content found in the rest of the agreement. You can include a statement that tells that you - the company collecting and using health data - is required by law to maintain the privacy of "Protected Health Information" and that you're required to provide users with a copy of your current legal agreement, upon request.
Here's an example of an "Introduction" clause from the HIPAA Policy of Phelps Memorial Hospital Center:
Another example of the "Introduction" clause from the HIPAA Notice of Privacy Practices of Delta Dental is below.
Note how the structure is different than Phelps, but the general information outlined remains the same:
Permitted Uses and Disclosures
This type of section in an HIPAA Notice, the "Permitted Uses and Disclosures", is where the company/organization/medical clinic spells out how it will use and disclose protected health information.
This type of disclosure usually has three sub-sections, among medical clinics: "Treatment", "Payment", and "Healthcare Operations".
The example below from Washington Radiology shows a breakdown of the three main sub-sections, as well as general examples of what would fall under each sub-section.
Here's another example of how Delta Dental has structured this disclosure section.
Note how there is no separation of the "Treatment", "Payment', and "Healthcare Operations" sections, but they're all mentioned in the header of the clause and all covered within the clause.
Other Uses/Special Situations
Occasionally there will be special situations where the permitted uses and disclosures of personal health information will be different than the usual.
In the example below, Floyd Memorial Hospital and Health Services lists out all of the special situations where personal health information will be disclosed without needing the typically required authorization for disclosure.
Below is an example of how Washington Radiology breaks down this "Other Uses/Special Situation" clause.
Patients are informed that other disclosures aside from those mentioned in the previous clause may occur, but not without written permission, unless a situation permitted or required by law as described in the following section occurs.
This can be a good way to let patients know the differing levels of disclosure and requirements for consent or authorization prior to disclosures.
This clause spells out the rights of the users or patients in regard to the HIPAA act.
There are 7 rights granted to patients through the HIPAA Privacy Rule and each should be included in this clause.
Below is an example from the legal agreement of Phelps Hospital of a clearly numbered breakdown of rights of patients:
Washington Radiology takes the approach of summarizing each right in a first summary sentence, then describing the right in further detail in the following paragraph. This can help the user locate specific information faster:
Make sure that you include a section for each of the 7 patient's rights as outlined by the HIPAA act.
This type of section is where you provide users/patients with information about whom the user or the patient should contact if it's believed that their privacy rights have been violated.
You can let a user/patient know that they will not be retaliated against for filing a complaint. In the example below, a phone number for someone at the organization has been provided, as well as federal complaint information:
You must provide users and/or patients with your contact information, such as a phone number, email address, and physical/mailing address where you can be contacted:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.