HIPAA Safeguards for Medical Web Design for entities, such as doctor’s offices, hospitals and health insurers that are required to be HIPAA compliant as well as their business associates who are at high risk for data security and privacy breaches are of significant importance last 5 years. Business Associates are the third party providers such as software providers, couriers, technology companies, hosting providers, and more.In 2013 the law was changed to require Business Associates to be HIPAA compliant too. If you are an app development company or a web design company, you need to strictly adhere to HIPAA recommendations, while developing a medical app.
Three Security Rule Safeguards of HIPAA to be complied with:
1. Administrative HIPAA Safeguards
2. Technical HIPAA Safeguards
3. Physical HIPAA Safeguards
Web Designing or Application Development companies focus will primarily be in the technical and physical requirements.
There are two specifications in each of the safeguards. They are:
1. Required – these are safeguards that needed to be implemented.
2. Addressable-though they are not optional, it can be implemented as appropriate, but if there is doubt implement such safeguards.
Following is a quick look at the each of the three safeguards. Fore more detailed information go through ‘The Develoers’s guide to HIPAA Compliance on GitHub.
Technical HIPAA Safeguards
The Technical Safeguards focus on the technology that protects PHI and controls access to it. It never envisages any particular technology to be used, but security standards wants the technology so used to be a technology neutral.
There are five standards that must be met to satisfy this area of the law. They are:
1. Access Control
2. Audit Controls
5. Transmission Security
At a high-level they are: unique user identification, emergency access procedures, automatic logoff, encryption and decryption, audit controls, mechanisms to authenticate PHI, authentication, and transmission integrity controls and in-flight encryption.
Physical HIPAA Safeguards
These are rules and guidelines that focus on the physical access to PHI. These help protect from unauthorized access to sensitive data. When thinking about these, be sure to look at your backup procedures and cloud storage providers. Have a developer syncing all their files to their personal Dropbox? You could be looking at a violation. There are four standards to be met in this area of the law. They are:
Facility Access Controls – contingency operations, a facility security plan, access control and validation procedures, and maintenance records.
Workstation Use – Security policies and procedures are required.
Device and Media Controls – Disposal, media re-use, accountability and backup and storage specifications.
Administrative HIPAA Safeguards
These are the policies regarding the conduct of your workforce, and the measures put in place to protect PHI.
As part of them, you are required to:
Assign a privacy officer
Complete an annual risk assessment
Implement employee training
Review policies and procedures regularly
Execute Business Associate Agreements with all partners who handle PHI (such as hosting providers)
There are nine standards in the Administrative Safeguards section of the Security Rule include 18 implementation specifications. While too many to list here, they include things such as risk analysis and management, a sanction policy, information system activity reviews, employee oversight and data access, login monitoring, emergency procedure policies, evaluation policies and more. See the checklist for a detailed run down.
Besides these safe guards outlived above there are HIPAA Privacy Rule Standards and a big list of HIPAA Security Rule, which are not discussed here. For complete understanding of the matter, Web Designing Companies/App Development Companies should be thorough with The Developers’s guide to HIPAA Compliance on GitHub, before embarking on the project.
Contact us for qualitu medical transcription services