Compliance Guide
How to become a HIPAA compliant digital health solution
The Healthcare Insurance Portability and Accountability Act (HIPAA) was signed into United States law in 1996 to "improve the portability and accountability of health insurance coverage" for employees between jobs, and to combat waste, fraud, and abuse in health insurance and healthcare delivery.
HIPAA applies to "covered entities" and their business associates. Covered entities are defined as anyone providing treatment, payment, and operations in healthcare. Business associates include anyone with access to patient information and/or provides support in treatment, payment, or operations.
Over subsequent years, additional Rules and Acts have been passed. These set standards for safeguarding the privacy and security of medical information and update HIPAA to cover scenarios, such as the widespread use of electronic and mobile technologies, that could not have been foreseen in 1996.
Table of contents
The HIPAA Privacy and Security Rules
The HIPAA Privacy and Security Rules are fundamentally concerned with the protection of electronic Protected Health Information (ePHI), so that all healthcare data is kept private and confidential.
The HIPAA Privacy Rule sets limits and conditions on the uses and disclosures that may be made of patient information without specific authorisation. The Rule also gives patients rights over their health information, such as to obtain a copy of their health records and to request corrections.
The HIPAA Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic ePHI wherever it is held or transferred in electronic form.
In addition, the Health Information Technology for Economic and Clinical Health (HITECH) Act applies new penalties for breaches of HIPAA, in particular regarding ePHI.
The Omnibus Final Rule of 2013 closed gaps in existing HIPAA and HITECH regulations, such as specifying the encryption standards that need to be applied to render ePHI unusable, undecipherable, and unreadable in the event of a breach.
7 HIPAA Technical Safeguards
The key areas of HIPAA requirements regarding ePHI include:
Authorisation controls
So that ePHI can be accessed only by authorised users. Systems should be in place to identify and track user activity, automatically log the user out after a period of inactivity, and allow access to ePHI during an emergency.
Audit controls
That monitor, record, and appraise all ePHI activity.
Data integrity
So that records cannot be altered or tampered with.
Backup
So that data cannot be lost, and is always recoverable.
Storage encryption
Ensuring security whenever data is stored or archived.
Transmission security
Requiring that data be encrypted if transmitted over the internet.
Secure disposal
So that data is permanently erased when no longer needed.
HIPAA and GDPR
HIPAA in the United States and GDPR in Europe share the aim of ensuring the privacy and security of personal data. HIPAA relates to healthcare information only, whilst GDPR applies more broadly.
However, the regulations vary in important ways and you cannot assume that if you are HIPAA compliant, you will also be GDPR-compliant, or vice-versa.
HIPAA compliance does not imply GDPR compliance, and vice versa. If your digital health solution serves both US and EU patients, you will need to address both regulations independently. Extra Horizon's platform is designed to support compliance with both.
Discover Extra Horizon: the platform for medical compliance
Extra Horizon provides a comprehensive, fully customisable solution for managing, storing, and processing sensitive data in compliance with HIPAA.
Unlike most cloud infrastructure providers, Extra Horizon provides a medical backend-as-a-service, certified to ISO 27001:2017 (information management system) and ISO 27701:2019 (privacy information management system) amongst others.
This takes most of the burden of regulatory compliance off the shoulders of your organisation, and enables much faster time-to-market for health apps.
Extra Horizon
Built for HIPAA compliance from the ground up
Our platform handles the heavy lifting of HIPAA technical safeguards — authorisation controls, audit trails, encryption at rest and in transit, secure backups, and more — so your team can focus on your application.