Understanding HIPAA & PIPEDA Compliance: A Checklist for Software

The Health Insurance Portability and Accountability Act (HIPAA) is a United States legislation that clearly outlines, establishes, and provides rules and provisions concerning the safeguarding, security, and data privacy of medical information. This includes the gathering, storage, use, transfer, exposure, and destruction of all medical data from all types of medical establishments and from all parties which have access to said medical data. HIPAA has become one of the main laws that dictate how medical software works and what security features and measures are used with it in the United States. Businesses that do not comply with HIPAA guidelines face hefty financial penalties. In Canada, the comparable legislation is the Personal Information Protection and Electronic Documents Act (PIPEDA).

What Is the Difference Between HIPAA & PIPEDA?

HIPAA is a Federal United States legislation that governs the privacy and security of personal health information within the healthcare industry, specifically with healthcare providers, healthcare insurers, and healthcare exchange organizations. The legislation outlines clear requirements that must be followed for any organization that is working with personal data, as this aids in protecting patients and allows organizations to make informed decisions with that information. Health information within the United States is also governed by state laws, but when any data is transferred outside of the United States, the data is no longer protected by HIPAA.

In Canada, the PIPEDA applies to all personal data, including health data. The purpose and scope of PIPEDA are to enforce organizations to accept full responsibility and accountability for the protection of all collected data, regardless of the province, industry, or type of data that is collected. The legislation also recognizes that individuals have a right of privacy with respect to their personal information and gives them the ability to access any personal information an organization collects, know who is responsible for collecting it, why it is being collected and may challenge the accuracy of collected data. Similarly to HIPAA, each province has its own rules, regulations, and governances with regards to the collection of said data.

If you are a business within the province of Ontario, there is equivalent legislation to HIPAA in the Personal Health Information Protection Act (PHIPA). The PHIPA sets out rules that health custodians must follow when collecting, using, and disclosing personal information.

Who Are The Canadian Health Custodians?

Health custodians being doctors, nurses, hospitals, homes for special care, pharmacies, medical laboratories, local medical officers, ambulance services, community care centres, long-term care homes, mental health programs, and the Ministry of Health.

The key difference between the PHIPA and PIPEDA is that PIPEDA applies to any organization that collects, uses, and discloses personal information while partaking in commercial activities, while the PHIPA, applies to health custodians that collect, use, and disclose personal health information, regardless of whether it is in the course of commercial activities.

What Is Defined as a Commercial Activity Under PIPEDA?

Any particular transaction, conduct, act, or regular course of conduct that is of a commercial character, including selling, bartering, and leasing.

What Protected Health Information is Covered by HIPAA?

The HIPAA legislation is concerned with protected health information and electronically protected health information. These include the following pieces of collected data.

What Is Protected Health Information Under PIPEDA?

As PIPEDA is broader than HIPAA, the personal information defined under the legislation is any information that on its own or combined with other pieces of data, will identify you.

Who Are Covered Entities Under HIPAA & PIPEDA?

Under HIPAA, a covered entity is any specialist who is working in the healthcare industry and has access (directly or indirectly) to personal health information. Most common examples are doctors, nurses, and medical officers.

Under PIPEDA, a covered entity is any private organization that collects personal information (of any kind) during the course of commercial activity. PIPEDA also includes federally regulated organizations as well, businesses, and interprovincial or international transfer of personal information. Under this, organizations within aerospace, banking, transportation, telecommunications, offshore drilling, and radio/television broadcasts are also included.

What Is a Business Associate Under HIPAA?

This is any non-medical specialist that works with covered entities who may also have access to personal health information or electronic personal health information. This can be an individual like a lawyer or information technologist specialist (IT).

Understanding HIPAA Rules & PIPEDA Principles

The 3 main rules behind HIPAA.

1. The HIPAA privacy rule: The privacy rule provides full control to individuals over their own private information. It also improves data security by assigning a clear responsibility for electronic personal health information and describes the legal processes for using and releasing any electronic personal health information. This privacy rule protects a wide range of medical records and personal healthcare information and is considered a national standard.
2. The HIPAA security rule: While not initially in the signed document back in 1996, the security rule was added in to set normalized standards for how covered entities could treat personal health information that is either received, transferred to, saved, or produced in the electronic format. This was introduced in 2005.
3. The HIPAA Omnibus rule: Also not initially in the signed document back in 1996, it was added to expand the definition of what a business associate is to include third-party contractors. This required them to comply with HIPAA security and privacy, ensuring that notification rules for breaches were being followed when dealing with personal health information.

It is important to note that HIPAA does have a lot of other rules within it that impacts companies. Primarily these address workflow, the physical protection of workplaces, internal networks, and policies around violation but these are not directly related to compliance of the software itself.

The 10 principles behind PIPEDA.

A comparable list to HIPAA’s 3 main rules, is PIPEDA’s 10 main principles. This is just an overview look at these so that you can see what the compliance guidelines are when creating software in Canada.

1. An organization is required to be accountable for personal information under its control. An individual or individuals must be designated to ensure the organization is compliant, including any and all information that is transferred to third-party vendors for processing.
2. Personal information gathering must be identified. When personal information is collected, the organization will identify at the time or before the time of collection.
3. There must be consent given. Individuals must consent and have knowledge of that personal information is being collected, used, or disclosed, except where inappropriate.
4. Personal information collected is limited. The type of personal information that is collected must be limited to only what is necessary for the purposes identified by the organization. It must also be collected through fair and lawful means.
5. There is limited use of disclosure and retention. All personal information cannot be used or disclosed for any purpose other than that for which it was collected for, except with the consent of the individual as required by law. Information that is retained can only be retained for as long as necessary to fulfil the purpose for which it was collected.
6. All personal information must be accurate, complete, and up to date for the purpose of which it is to be used.
7. Personal information must be protected by safeguards that are appropriate to the sensitivity level of the information
8. An organization must be readily available and willing to provide individuals with specific information about its policies and practices that relate to how personal information is managed.
9. An individual has access, upon request, to the existence, use, and disclosure of their personal information and will be given access to that information. An individual can challenge the accuracy and completeness of the information and have it amended.
10. An individual has challenging compliance; where they can address a challenge that concerns compliance with the above principles to the individual(s) accountable for their organization’s compliance.

Now that you know and understand the main principles behind the HIPAA and PIPEDA legislation, we can go through and create a software checklist to ensure that your project is compliant, regardless of whether you are in the United States or Canada.

Making Your Software Compliant: An 8 Point Checklist

If you are in the United States, HIPAA requires you to use the most up to date and modern technologies available to secure both your healthcare software and the data it uses. However, HIPAA does not narrow down or name any precise technologies that are “must-use” giving you the freedom to use tools that are not going to become outdated in a few years. What does this mean? You can use any toolset, security features, or technology stack with your project as long as it complies to HIPAA.

What are the terms of compliance?
While the toolsets and security technologies may not be set in stone, there are requirements that have to be met. This includes ensuring that your software has a secure authentication system, the ability to securely transfer, store, backup and encrypt data, control access, and more. We go over these in more depth below.

1. Access Must be Strictly Controlled: Your healthcare software is going to process a large volume of sensitive data in the form of electronic personal health information, and while it may seem like you need a lot of employees to handle the data, you shouldn’t assign all employees. Instead, limit access to only the data that needs to be handled by employees with role-based access control. This allows you to protect the data from malicious intent and reduce the number of human errors that may occur in handling the data.
   • Define all specialists who will need to work with the software and implement roles for each of them. This could include IT specialists, doctors, nurses, medical staff, medical officers, and administrators.
   • Define a list of data types that each specialist will need access to for work purposes. Always limit the access to the absolute minimum rather than giving more access than needed. Provide a method for requesting additional access when necessary.

   

2. Session Times Should Be Limited: To increase how secure your personal health information is, consider limiting session times. Use an automatic log out system that is designed to log out an individual after a period of inactivity. This protects from unauthorized use of your software by the information that has been left unsupervised. Session times can be extended or shortened per access-role as work requires it.
3. Data Encryption: While you are not obligated to encrypt data under HIPAA, data security is a must. This gives you a bit of flexibility on how you want to approach protecting the data. Data encryption itself is fast and easy for medical information, so encrypting is a popular approach that many companies use. The trick with data encryption is to only use reliable encryption protocols and store access keys in a locked-down and securely tight location.
4. Use Activity Tracking Systems: The advantage of using an activity tracking system is that it can identify patterns based on the regular actions taken by your software users. Any activity that does not fit in will be considered suspicious and it will alert you, effectively giving you a heads up and additional time to prevent a security breach and data theft. An additional advantage of this is that actions and the identification of those using the software can help you find out who the last person to work with the system was, potentially leading you to how the hackers got in.
5. Backup All Data: Any information used by your software must be securely stored and backed up. The law demands that all data must also be stored on a reliable third-party server, separated from the original data bank. This is for restoration purposes during data loss scenarios. Always backup data frequently.
6. Create a Secure Authentication: There are plenty of ways that you can go about creating a secure authentication. Here are some of the most popular options.
   • Biometrics: For employees using mobile devices, tablets, or laptops with your software, you can use special sensors that will scan their fingerprint or their face to provide access. This ensures that if the device is lost or stolen, no one can access the software and the data without the biometrics of the individual.

   

   • Multi-factor Authentication: This type of authentication requires the user to enter in a password, an email, and an additional parameter like a one-time use code or password. This additional parameter is often delivered in a separate manner through email or a mobile authenticator application.
   • Passwords that expire: Passwords should be updated frequently and they should be strong. In the event that they are not, they could easily be hacked. Use expiring passwords to force users to change their passwords or update them on a rotating schedule.
   • Physical Identification: This could be a physical card, an electronic key or a token that is stored on a memory card. These would be used in tandem with a password or one-time code.
   • Risk-based Authentication: This type of system employs a complex procedure that calculates a risk score when a user logs into the system. The risk-based procedure will track access attempts, internet protocols, geolocation, used devices, and other parameters to determine if there is a discrepancy from normalized patterns. Additional verification may be required for an individual to access if a discrepancy is found.
7. Create a Secure Data Transfer & Storage System: Since physical servers are expensive and also difficult to protect, it is better to use a cloud storage option. Not only can you store that data quickly and efficiently, but it can be protected and transferred when needed. You want to choose a cloud storage service that is HIPAA compliant right out of the gate.



8. Protect All Correspondence: While you are not required to encrypt email correspondence directly by HIPAA, it is definitely something you want to do if you are transferring a lot of personal health information to external networks. For secure external encryption protocols, use S/MIME, OpenPGP, or AES. You can encrypt internal correspondence, but it’s not as necessary as external. A side note, if you have frequent correspondence between covered entities, it is best to use a secure chatting feature within your software over email.

Conclusion

While the list of requirements is lengthy, there are plenty of modern toolsets, technologies, and methods that can be used to ensure that your software is compliant with all HIPAA or PIPEDA regulations. Protecting your software and the personal information that you collect will ensure that your users will feel safe and that you avoid hefty financial fines for non-compliance. It’s worth taking the time to ensure your healthcare software is 100% compliant.

You can learn much more things by Research & Development activity and create HIPAA and PIPEDA compliant Smart diagnostic Systems and Telehealth consultation platforms. For more details and queries, you can contact us.