HIPAA Guidelines
Health Insurance Portability and Accountability Act compliance for software development
HIPAA (Health Insurance Portability and Accountability Act) establishes national standards for protecting sensitive patient health information. Software systems that handle Protected Health Information (PHI) must comply with HIPAA requirements.
HIPAA Overview
Who Must Comply?
| Entity Type | Description | Examples |
|---|---|---|
| Covered Entities | Healthcare providers, plans, clearinghouses | Hospitals, insurers, EHR vendors |
| Business Associates | Organizations handling PHI on behalf of covered entities | Cloud providers, IT contractors, billing services |
Key Regulations
| Rule | Purpose |
|---|---|
| Privacy Rule | Standards for PHI use and disclosure |
| Security Rule | Administrative, physical, and technical safeguards |
| Breach Notification Rule | Requirements for breach reporting |
| Omnibus Rule | Extended requirements to business associates |
Security Rule Safeguards
Administrative Safeguards
| Requirement | Implementation |
|---|---|
| Security Management | Risk analysis, risk management, sanction policy |
| Assigned Security Responsibility | Designated security officer |
| Workforce Security | Authorization procedures, clearance procedures |
| Information Access Management | Access authorization, access establishment |
| Security Awareness Training | Security reminders, malware protection, login monitoring |
| Security Incident Procedures | Response and reporting |
| Contingency Plan | Data backup, disaster recovery, emergency operations |
| Evaluation | Periodic security evaluation |
Physical Safeguards
| Requirement | Implementation |
|---|---|
| Facility Access Controls | Contingency operations, facility security plan |
| Workstation Use | Policies for workstation use |
| Workstation Security | Physical safeguards for workstations |
| Device and Media Controls | Disposal, media re-use, accountability, data backup |
Technical Safeguards
| Requirement | Implementation |
|---|---|
| Access Control | Unique user identification, automatic logoff, encryption |
| Audit Controls | Hardware, software, and procedural mechanisms |
| Integrity | Mechanism to authenticate ePHI |
| Person Authentication | Verify identity of persons accessing ePHI |
| Transmission Security | Integrity controls, encryption |
Software Development Requirements
Access Control Implementation
// Example: Role-based access control for PHI
interface AccessPolicy {
resource: string;
actions: ('read' | 'write' | 'delete')[];
roles: string[];
conditions?: AccessCondition[];
}
const phiAccessPolicies: AccessPolicy[] = [
{
resource: 'patient-records',
actions: ['read'],
roles: ['physician', 'nurse', 'medical-assistant'],
conditions: [
{ type: 'treatment-relationship', required: true },
],
},
{
resource: 'patient-records',
actions: ['read', 'write'],
roles: ['physician'],
conditions: [
{ type: 'treatment-relationship', required: true },
{ type: 'break-glass', required: false },
],
},
];
// Enforce minimum necessary access
async function checkAccess(
user: User,
resource: string,
action: string
): Promise<boolean> {
const policy = findMatchingPolicy(resource, action);
if (!policy) return false;
if (!policy.roles.includes(user.role)) return false;
for (const condition of policy.conditions || []) {
if (!await evaluateCondition(condition, user, resource)) {
return false;
}
}
// Log access attempt
await auditLog.record({
userId: user.id,
resource,
action,
timestamp: new Date(),
granted: true,
});
return true;
}Audit Logging
// HIPAA-compliant audit logging
interface AuditEntry {
timestamp: string;
userId: string;
userName: string;
userRole: string;
action: 'CREATE' | 'READ' | 'UPDATE' | 'DELETE' | 'EXPORT' | 'PRINT';
resource: string;
resourceId: string;
patientId?: string;
ipAddress: string;
userAgent: string;
outcome: 'SUCCESS' | 'FAILURE' | 'DENIED';
reason?: string;
dataAccessed?: string[]; // Fields accessed
}
class HipaaAuditLogger {
async logAccess(entry: AuditEntry): Promise<void> {
// Store in immutable audit log
await this.auditStore.append({
...entry,
id: generateUUID(),
hash: this.computeHash(entry),
});
// Alert on suspicious activity
if (this.isSuspicious(entry)) {
await this.alertSecurityTeam(entry);
}
}
private isSuspicious(entry: AuditEntry): boolean {
return (
entry.outcome === 'DENIED' ||
entry.action === 'EXPORT' ||
this.isAfterHoursAccess(entry) ||
this.isUnusualVolume(entry)
);
}
}Encryption Requirements
// Data encryption configuration
const encryptionConfig = {
// At-rest encryption
atRest: {
algorithm: 'AES-256-GCM',
keyManagement: 'AWS KMS', // or HSM
keyRotation: '90 days',
},
// In-transit encryption
inTransit: {
protocol: 'TLS 1.3',
minVersion: 'TLS 1.2',
cipherSuites: [
'TLS_AES_256_GCM_SHA384',
'TLS_CHACHA20_POLY1305_SHA256',
],
},
// Field-level encryption for highly sensitive fields
fieldLevel: {
enabled: true,
fields: ['ssn', 'medical_record_number', 'diagnosis'],
algorithm: 'AES-256-GCM',
},
};Breach Notification
Breach Assessment
Notification Timelines
| Notification | Timeline | Method |
|---|---|---|
| Individuals | Within 60 days | First-class mail |
| HHS | Varies by size | Online portal |
| Media | Within 60 days (if >500 in state) | Prominent media outlets |
Development Checklist
Design Phase
- Identify all PHI data elements
- Document data flows with PHI
- Design access control model
- Plan encryption strategy
- Design audit logging
Implementation Phase
- Implement authentication (MFA recommended)
- Implement role-based access control
- Encrypt PHI at rest and in transit
- Implement comprehensive audit logging
- Add automatic session timeout
- Implement secure password policies
Testing Phase
- Test access control enforcement
- Verify encryption implementation
- Test audit log completeness
- Conduct security assessment
- Perform penetration testing
Deployment Phase
- Verify production encryption
- Confirm backup procedures
- Test disaster recovery
- Document security controls
- Train workforce on new systems
Best Practices
Do
- Implement minimum necessary access
- Use strong authentication (MFA)
- Encrypt all PHI at rest and in transit
- Log all PHI access
- Conduct regular risk assessments
- Train workforce on HIPAA requirements
- Have breach response procedures ready
Don't
- Store PHI in unencrypted form
- Allow shared accounts
- Log PHI in application logs
- Skip security assessments
- Ignore audit log alerts
- Assume cloud providers are HIPAA compliant by default
Related Resources
Compliance
This section fulfills ISO 13485 requirements for confidential information protection (4.2.4) and customer property protection (7.5.4), and ISO 27001 requirements for information classification (A.5.12), access control (A.5.15), and encryption (A.8.24).
How is this guide?
Last updated on