How to become a HIPAA compliant digital health solution

The Healthcare Insurance Portability and Accountability Act (HIPAA) was signed into United States law in 1996 to 'improve the portability and accountability of health insurance coverage' for employees between jobs, and to combat waste, fraud, and abuse in health insurance and healthcare delivery.

HIPAA applies to 'covered entities' and their business associates. Covered entities are defined as anyone providing treatment, payment, and operations in healthcare. Business associates include anyone with access to patient information and/or provides support in treatment, payment, or operations.

Over subsequent years, additional 'Rules' and Acts have been passed. These set standards for safeguarding the privacy and security of medical information and update HIPAA to cover scenarios, such as the widespread use of electronic and mobile technologies, that could not have been foreseen in 1996.

The HIPAA Privacy and Security Rules

The HIPAA Privacy and Security Rules are fundamentally concerned with the protection of electronic Protected Health Information (ePHI), so that all healthcare data is kept private and confidential.



The HIPAA Privacy Rule sets limits and conditions on the uses and disclosures that may be made of patient information without specific authorisation. The Rule also gives patients rights over their health information, such as to obtain a copy of their health records and to request corrections.

The HIPAA Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic ePHI wherever it is held or transferred in electronic form.

In addition, the Health Information Technology for Economic and Clinical Health (HITECH) Act applies new penalties for breaches of HIPAA, in particular regarding ePHI.

The Omnibus Final Rule of 2013 closed gaps in existing HIPAA and HITECH regulations, such as specifying the encryption standards that need to be applied to render ePHI unusable, undecipherable, and unreadable in the event of a breach.

7 HIPAA technical safeguards

The key areas of HIPAA requirements regarding ePHI include:

1. Authorisation controls: So that ePHI can be accessed only by authorised users. Systems should be in place to identify and track user activity, automatically log the user out after a period of inactivity, and allow access to ePHI during an emergency
2. Audit controls: That monitor, record, and appraise all ePHI activity
3. Data integrity: So that records cannot be altered or tampered with
4. Backup: So that data cannot be lost, and is always recoverable
5. Storage encryption: ensuring security whenever data is stored or archived
6. Transmission security: requiring that data be encrypted if transmitted over the internet
7. Secure disposal: So that data is permanently erased when no longer needed
   

HIPAA and GDPR

HIPAA in the United Stated and GDPR in Europe share the aim of ensuring the privacy and security of personal data. HIPAA relates to healthcare information only, whilst GDPR applies more broadly.

However, the regulations vary in important ways and you cannot assume that if you are HIPAA compliant, you will also be GDPR-compliant, or vice-versa. More on GDPR and HIPAA for digital health apps can be found here.

Discover Extra Horizon: the platform for medical compliance

Extra Horizon provides a comprehensive, fully customisable solution for managing, storing, and processing sensitive data in compliance with HIPAA.

Unlike most cloud infrastructure providers, Extra Horizon provides a medical backend-as-a-service, certified to ISO 27001:2017 (information management system) and ISO 27701:2019 (privacy information management system) amongst others.

This takes most of the burden of regulatory compliance off the shoulders of your organisation, and enables much faster time-to-market for health apps.