HIPAA Explained for Developers

TL;DR: Who must comply with the HIPAA? Any business collecting Personal Health Information in the United States must comply, regardless of location. How does HIPAA compliance change workflows? It requires establishing security evaluation tools, regular security training, and consistent communication between legal and development teams.

The Health Insurance Portability and Accountability Act (HIPAA), enacted August 21st, 1996, outlines the nature of Personal Health Information (PHI) and requires that it be stored and shared according to certain standards of its Privacy Rule. The Act was the first of its kind, a response to concerns over vulnerable infrastructure developed during the rapid digitization of health information and administration in the 1990s.

HIPAA is as relevant today as ever, and compliance is just as mandatory. Compliance can reduce risk and prevent loss in a variety of ways. Non-compliant platforms are more likely to experience avenues of loss associated with data breaches, including:

• Loss of proprietary information, platform secrets, and projects under development
• Costs to recover platform integrity
• Fines issued by government regulatory organizations
• Cost to become HIPAA compliant
• Loss of relevant industry certifications
• Reputation damage resulting in loss of clients or traffic
• Lengthy and expensive legal action

Here, we’ll cover who is covered under HIPAA, how it might alter your development pipeline, and why you might care about HIPAA standards regardless of the type of information collected and processed by your platform.

Before you continue: This isn't legal advice, and you should consult with legal counsel to ensure you’re implementing HIPAA properly for your circumstances.

Who must become compliant:

“The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."

If you or your business collects, stores, or uses Personal Health Information, digitally or physically, you must be HIPAA compliant in ensuring confidentiality, integrity, and availability. The HIPAA Enforcement Rule, supplemented by the Health Information Technology for Economic and Clinical Health (HITECH) Act, established compliance and investigation procedures and set monetary penalties for violations. The Department of Health and Human Services’ Office for Civil Rights (OCR) enforces these standards.

Check-in with your legal team to ensure they are aware of any and all information collected, stored, or processed by your platform and whether that information is covered under HIPAA.

How would compliance change your workflow?

There are several compliance standards necessary for a development team. The resulting changes to the workflow to achieve these standards may have additional, outsized impacts across the company, though solutions to many of HIPAA’s standards complement and support each other.

HIPAA demands that platforms identify and protect against reasonably anticipated threats. The changes to the development process here are twofold. The first is to establish a regular and comprehensive practice of evaluating existing infrastructure for vulnerabilities. The second is to plan any future updates in a security-oriented manner so they, too, will maintain the safety and integrity of current systems.

It is also important that development teams communicate regularly with their legal counterparts. The language used in HIPAA and similar acts has many implications that are too lengthy and intricate to cover here. Phrases like ‘reasonably anticipated,’ for instance, impact platforms differently from industry to industry. It’s essential to ensure a development team correctly interprets its security responsibilities for its specific platform.

Similarly, ‘Ensure confidentiality, integrity, and availability’ casts broad strokes with few words. Workflow changes here must continue to build safety and intentionality into the workflow with proper documentation and development vision. This means designing and testing data structures with a lens of compliance before optimizing and implementing them into the platform.

The addition of availability in this standard also requires certain PHI to be made available to clients and consumers. Achieving expedient availability might require significant additions or redesigns of platform infrastructure. This is another case where developers should check in with the legal team to identify relevant types of information and how available it must be to clients and consumers.

The last workflow alteration is comprehensive, slotting in at all levels of the process. It involves instituting regular training for developers, management, compliance teams, and legal teams to stay up-to-date on threat anticipation and prevention, as well as relevant legal responsibilities. This addition is key to staying ahead of the curve in an evolving cybersecurity landscape.

What if my platform does not collect PHI?

Regardless of your platform's relevance to the data it processes or collects, many of the HIPAA workflow changes promote more informed, better-documented development practices.

Routine threat assessments bolster platform security, identify infrastructure vulnerabilities before they become costly breaches, and allow teams to move quickly to mitigate damages.

Compliance is not just an obligation! Making compliance and security a feature can boost your platform's credibility with clients and customers. These practices have positive outcomes in security, sustainability, and flexibility relevant to any data-oriented organization.

Protecting customer data is essential for building and maintaining trust. Your data is one of the most valuable parts of your organization. Did you know Doppler can help protect your data by ensuring secure access to your application secrets? Learn more about how we can help manage your API keys, tokens, and more.