In the healthcare sector, user privacy promotes effective communications between patients and healthcare providers, protects individuals’ dignity, and prevents economic harm, embarrassment, and discrimination. Although patient-data protection is a healthcare cornerstone in numerous jurisdictions globally, this article is specifically about the United States Compliance Act.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) aims to protect this privacy and control the disclosure of patient health data (a.k.a. “protected health information” or “PHI”).
HIPAA’s Privacy Rule requires that appropriate safeguards be implemented by health plans, healthcare clearinghouses and healthcare providers to protect PHI privacy. It also sets conditions on PHI disclosures without patients’ authorisation. HIPAA’s Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of patients’ electronic PHI (ePHI).
For firms subject to HIPAA, compliance failures can result in substantial fines being issued, as recent incidents have shown:
A health insurer agreed to pay $5.1 million to settle violations related to a breach affecting over 9.3 million people.
Another health insurer paid $6.85 million to settle a data breach affecting over 10.4 million people.
A hospital group agreed to pay $2.175 million after they failed to properly notify the authorities of a breach of unsecured PHI.
Here, “breaches” include the unauthorised disclosures or improper disposal of PHI, and the unauthorised access of PHI by bad actors. Breaches can also result in criminal charges and civil action lawsuits. Whether violations are inadvertent, wilful or deliberate, the Office for Civil Rights of the Department of Health and Human Services (OCR) will issue fines for non-compliance.
Two kinds of organisations are subject to HIPAA rules: Covered Entities (CEs) and Business Associates (BAs). HIPAA regulates how they use individually identifiable PHI. CEs are industry entities like health providers (e.g., hospitals) and data clearinghouses. BAs are subcontractors and other companies that come in contact with a CE’s PHI.
Developers that come into contact with PHI, and are either part of a CE or a CE’s BA, fall under the ambit of HIPAA rules. This includes the HIPAA Security Rule that governs their access to confidential PHI. HIPAA Privacy Rule also applies to them, to ensure that they have safeguards to protect the privacy of PHI, and to govern the use and disclosure of PHI without patient authorisation.
Should a PHI breach occur, developers must follow the procedures laid out under the HIPAA Breach Notification Rule. They must document all risk assessments and reasons why addressable safeguards were not implemented. They must also notify patients and the Department of Health and Human Services (HHS), and the media if over five hundred patients are affected.
The HIPAA Omnibus Rule covers all BA and their subcontractors - including developers, consultants, and data storage companies - that create, receive, maintain or transmit PHI as they perform functions on behalf of a CE. One key requirement is that developers must be trained on all amendments and definition changes. Furthermore, under the Administrative Safeguards of the HIPAA Security Rule, CEs and BAs must train their developers on policies and procedures to prevent, detect, contain, and correct security violations. Training sessions must also raise awareness of the policies governing access to electronic PHI (ePHI), and how to guard against, detect, and report malware attacks.
From here, it’s clear that security training for developers is a crucial requirement for HIPAA compliance. However, old-school classroom training is inadequate to achieve compliance and remain compliant. The key to success lies in practical, hands-on training - from SecureFlag!
With SecureFlag’s secure coding training, developers learn how to identify and remediate the most prevalent security issues through 100% hands-on exercises, not boring classroom lectures, or ineffective assessments.
Each learner practices their skills in a real desktop environment, created on-demand and easily accessible through the familiar web browser. They select the exercise code and are guided through the remediation of the security issue within the environment. Since they use familiar tools and technologies, they can learn useful security skills faster, and apply them instantly to their jobs.
SecureFlag also offers Learning Paths, a tailored approach with individual training courses so developers can quickly level up their skills. They also develop a “Secure By Default” mindset during application development - an essential quality for achieving HIPAA compliance.
To know more, reach out to us today.