HIPAA Software Development F.A.Q.

Technosoft takes HIPAA related security and privacy responsibilities very seriously. Our HIPAA policies and procedures are reviewed by third-party HIPAA experts, periodically. Our HIPAA policies are procedures and routinely communicated to all employees. All new and existing employees go through rigorous HIPAA training. All employee access to PHI is logged and monitored. Special procedures are in place for all System Administrators and Help Desk professionals who usually have direct exposure to PHI. A breach reporting mechanism is in place and is communicated to all employees.
Further details can be acquired by requesting a set of our HIPAA policies and procedures. Anis Siddiqy, our Chief Security and Privacy Officer, will be happy to answer any further question you may have.

We design and develop Healthcare software with extensive focus on HIPAA privacy and security compliance. Following are the different levels we provide HIPAA implementation and compliance.

• Employees & Organization Level
• System Physical Security
• Network & Server Security
• Data at Rest Security
• Application Server Security
• Application Client Security, Smart Phone/User Device Level
• Data in Transit Security

As discussed, you may not need a BAA if you are not providing software maintenance services but you will need to have  HIPAA policies in place in case you do get exposed to PHI by mistake.
Consider this example: Your solution is deployed at a client hospital. You do not have access to it at all. They see a bug while providing healthcare services to Patient Samantha. The hospital reports that bug and by mistake mentions the patient’s name to you. That’s a PHI breach. Now how do you deal with that breach? You need to have policies in place to take care of this.

HIPAA applies to covered entities collecting and generating patient healthcare data. Now if you consider yourself a covered entity or a hybrid entity then HIPAA would apply to you. If you just consider yourself collecting your clients’ activity data then HIPAA would not apply to you. Consider this. My iPhone is always collecting my steps count, yet, Apple is not liable to apply HIPAA to the Apple Health application because it’s not a covered entity and it considers step count activity data, not health data. In addition, they specifically mention what they would do with the data collected and get their consent. This is tracking industry norm as of now.

We can do a GAP analysis of your software offering and provide all the Gaps that need to be filled to become HIPAA compliant.  There are some hard core requirements that HIPAA considers “Required” and there are some requirements that HIPAA deems as “Addressable”. The addressable may or may not apply to your particular implementation and your environment. Few areas that are part of must haves are:

• Authentication and Role-Based Authorization.
• PHI Access Logging
• Security of data in transit and at rest
• Emergency Access Procedure
• Audit Controls
• PHI Confidentiality, Availability and Integrity Assurance
• Physical Security of the System
• etc.

After you have a Gap analysis, changes are made to the software, you have policies and procedures implemented and in place then you can say your software is HIPAA compliant. Saying HIPAA friendly may be legally correct but politically problematic.

So for an overall HIPAA consultancy, the following are our rough effort estimates:

A: 2-3 sessions of technology review to do a Gap analysis.
2 x 2-hour session + Prep Time + Findings Documentation = 10 Hours
2 x 1-hour session + Prep Time + Findings Documentation = 6 Hours

B: 5-6 30 minutes consults to get a mutual agreement of HIPAA related directions that are technically and business-wise feasible. = 6 Hours (including documentation support)

C: Email Correspondence and Q&A: 4-5 Hours

D: HIPAA Training to required employees: 1×2 hour session + 30 minutes Q&A= 2.5 Hours

For Policies and Procedures:

1.  Technosoft Can help you set up your initial set of Policies and Procedures from our basic set of templates.
2.  If you already have written Policies and procedures, we can review and modify them as they apply to you.
3.  Provide consultancy on practicality and applicability of the selected policies.
4.  Training on those modified policies and procedure.

Technosoft has Business Association Agreements in place with many business associations, covered entities/hybrid entities. We have HIPAA policies & procedures in place, we will be happy to execute BAA after review.

We are Business Associate of a few vendors, so we have required HIPAA policies and procedures in place. We provide periodic training to our developers on HIPAA. Anis Siddiqy, our Chief Security And Privacy Officer, is a HIMSS certified Healthcare Security professional since 2002. And we provide HIPAA training and compliance support to our clients as well. Please see below further FAQs describing different levels of HIPAA compliant/compliance services we offer.

Technosoft has HIPAA policies and procedures in place for all its employees and subcontractors. These policies are rigorously followed and enforced. Please see section (Technosoft as Vendor) for details.

Our Applications and Data reside on servers that are hosted in the Amazon AWS environment or other third party vendors who provide HIPAA compliant hosting solutions with BAA protection. All these servers are hosted in the special data centers specifically designed for high availability and highly secured Healthcare customers. These servers are physically inaccessible to anyone except the vendor’s employees. Our customers have a Business Associate Agreement in place with Amazon and other vendors. These servers are backed up on a periodic basis. All these servers can be located in a redundant server pool helping our customer provide high availability.

Our solutions are hosted in redundant data centers. And are placed in a private secure subnet accessible only to our customer’s employees only. Except for the HTTP and HTTPS ports (80, 443), all access to this subnet is restricted at the IP level and all remote access to this subnet is logged.
All OS level access is done through RDP/Linux Bastian host. Direct remote OS level access is strictly prohibited except for System updates and patch management. All help desk support is done using a tool that can directly communicate with the OS level. Patches and security updates are updated at regular intervals, depending on the security requirements.

All our customer’s data are stored in an RDBMS, Relational Database Management System. No direct access to the RDBMS files is allowed except to the system administrator. And all OS level remote access is screen captured. All data stored in the RDBMS is in an encrypted format and all access is controlled through RDBMS’ authentication and authorization mechanism.

All access to the database is served through an application server (Tomcat, IIS, etc.). Role-based security is implemented at the application server level and all access is authenticated and authorized using oAuth or other authentication frameworks. All user access is logged in the database. We develop soft configuration options available for each client to select their password strength, auto logout and other addressable features.
Technosoft favors object-based access and layered approach to each action called. Each action, when called, logs user access of that action implicitly.

For clients who have a mobile client application, we have additional security built into the client application to secure data from theft and loss of these movable devices. We develop Android and iOS-based HIPAA compliant m-health applications.

All Technosoft Healthcare application can be deployed over HTTPS, with SSL/TLS encryption.

We do provide second and third level helpdesk support to our healthcare customers. We have extensive helpdesk support security mechanism and procedures in place. Please contact our privacy officer to request a copy of our HIPAA help desk support procedures.