HIPAA

If your business deals with health data in the U.S., you need to learn about the Health Insurance Portability and Accountability Act (HIPAA).

This article will describe what HIPAA law is (contents of law) so you can determine whether your website or app is controlled by it.

There's also an HIPAA compliance checklist available to help you find the best approach to meeting your obligations.

History of HIPAA

Logo of HIPAA

President Bill Clinton signed HIPAA in 1996.

Its enactment increased the use of electronic medical records which started the development of new online services and apps for accessing this data.

Along with making records more accessible, especially to patients and workers under group health insurance programs, it also enacted new privacy controls.

The primary purpose of HIPAA was to make it easier for workers in the U.S. to keep their health insurance when they changed or lost jobs.

This is covered in "Title I" of the act concerning access, portability, and the renewal process. Employers and health insurers must comply with notice requirements that keep workers informed as they make work transitions.

These provisions also required health insurers and health care providers to make information accessible to workers and patients. This encouraged the further development of electronic records which were not widespread in 1996.

As this started to change, electronic records required new means of protection, which gave way to new rules for protecting the privacy of this information.

While the provisions in "Title I" of HIPAA law were effective immediately, the privacy provisions did not become effective until 2003 due to the technological limitations.

"Title II" of HIPAA, also known as the Privacy Rule, enacts these requirements. As a developer of a website and/or mobile app, this is the part of HIPAA that affects your website or app.

The Privacy Rule protects "Protected Health Information" or "PHI". This includes:

  • Demographic data about an individual
  • Past, present or diagnosed mental or physical conditions
  • Health care treatment
  • Past, present or probable payments charged for the treatment

Health information that does not identify an individual is exempt.

For example, if you have an app that shares anonymous study results between medical professionals, that would not be subject to the Privacy Rule of HIPAA.

The Privacy Rule is more concerned with health conditions and individuals identities being linked.

How to comply with HIPAA

Healthcare providers

Health plans, health care clearinghouses, and any healthcare provider who uses electronic records must comply with HIPAA. If you are a developer employed in-house with an entity that falls under these categories, you likely already incorporated HIPAA in your everyday tasks.

These are the entities that handle health data directly.

Logo of Kaiser Permanente

Kaiser Permanente is a larger health insurer in the U.S. They are also very innovative with online solutions that allow patients to pay premiums and bills online, email their doctors, and access lab results and medical records.

The "Privacy Statement" page of Kaiser Permanente makes it clear to users that they are entitled to protection under HIPAA while also integrating other notices they will receive as they use the services:

Reference to HIPAA in Kaiser Permanente Privacy Statement

Logo of Providence

Providence Health and Services is another larger insurer that offers online access through a tool called myProvidence. In the User Agreement page for this service, it refers to HIPAA in its dispute resolution clause:

myProvidence: HIPAA reference in User Agreement

As insurers and health care providers, Kaiser Permanente and Providence are obvious targets of the HIPAA Privacy Rule.

However, the Privacy Rule of HIPAA also includes business associates of health insurers and providers. That is where as an independent developer you can still be held responsible for these requirements.

Business associates

In addition to the parties that handle the data directly, HIPAA also extends to business associates. These are third parties that include people and entities who perform functions for or on behalf of the covered entities, including independent contractors.

If your website or mobile app serves clients in the health field, you likely qualify as a business associate.

A website or a mobile app that helps patients make appointments and access their stored records, for example, often means having access to that information. For that reason, you need to follow the requirements outlined in HIPAA.

Likewise, if your website or app sends data to a hospital or clinic, like with patients emailing doctors, you will have to take HIPAA-compliant measures.

The same is true if your service helps medical professionals collaborate on patient treatment.

Basically, the standard is: if you enable communication or exchange between health professionals or between these professionals and their patients, you need to follow HIPAA.

Logo of Med-IT

For example, Med-IT offers a web service for health professionals to access records. It explains this purpose in its secure login screen:

Screenshot of Med-IT login page

Its Terms of Use page reference the privacy provisions in HIPAA and also recognizes that it takes in account those requirements:

HIPAA reference in Med-IT Terms of Use

Their Terms of Use also includes this provision where users give assurance that they are using the service legally:

Provision that users are legally using the service of Med-IT

Med-IT is a business associate since it offers a way for professionals to access records. That is why it must maintain HIPAA compliance even though its primary business purpose is not directly providing healthcare or health insurance.

Logo of Amazon AWS

Amazon Web Services offers cloud compliance services regarding HIPAA to Orion Health, HealthCare.gov and many others who provide insurance and health care to Americans. Amazon also provides white papers to its healthcare cloud clients on how to use its services in a compliant matter.

Amazon offers these services clearly on its first page, although there are no HIPAA references in its agreements:

Reference to HIPAA from Amazon AWS

Amazon also makes its duties well-known. It admits that it is a third party business associate that must comply with HIPAA. In its FAQ, it describes this duty and even agrees to sign contracts indicating this relationship:

FAQ on Business Associate Agreement from Amazon AWS

Amazon's direct involvement with HIPAA issues requires this transparency. Other entities that share information offer HIPAA provisions more as a precaution.

Fitness apps

Fitness apps (mostly mobile apps) are different because the information is not provided as an official diagnosis by a healthcare provider. The data recorded by these apps is provided by the user or a device they purchased.

If your website or mobile app helps users record their own data either manually or through a device, you do not fall under HIPAA.

Google Fit, Wahoo, and Fitbit do not mention the law in their documents and there is no legal precedent that holds them to it. However, if any of these apps started collaborating with users' primary physicians or take a role in diagnosis and treatment, you will likely see more attention towards HIPAA compliance.

Also, if you decide to add a feature that transmits fitness data from users to their medical providers, you will have to consider HIPAA.

As long as you limit your app to users recording their own data, you do not need to be worried about HIPAA.

When HIPAA passed in 1996, there were no smartphones and accessing records online was only beginning. As technology evolved, the interpretation of HIPAA changed to match these changes.

One of these issues regards to cloud services that can be accessed online or through an app.

Examples of HIPAA Privacy Policies

Medical clinics, from nursing homes to dentists to general practitioners, all must have Privacy Policies in place that are HIPAA-compliant because they collect and maintain health information for their patients.

Here are a number of examples of how medical clinics place, locate, and link to their HIPAA Privacy Policies on their websites.

Note that the Privacy Policy document or legal page can be named a number of different things:

  • HIPAA Privacy Notice
  • HIPAA Notice of Privacy Practices
  • HIPAA Privacy Policy

The name doesn't matter, so long as it is clear that "HIPAA" and "Privacy" is the subject matter of the respective legal page.

Example from Phelps Memorial Hospital Center

Phelps Memorial Hospital Center places a link to its HIPAA Privacy Notice in the footer of its website. This makes it easily accessible from and prominently placed on every page of the website:

Highlight legal link from Phelps Memorial Hospital Center website

Phelps' legal notice is also accessible from the "Patient and Visitor Info" menu bar:

Highlight Patient and Visitor Info from Phelps Memorial Hospital Center

And on its left side menu bar:

Highlight legal link from sidebar of Phelps Memorial Hospital Center website

Example from Floyd Memorial Hospital and Health Services

Floyd Memorial Hospital and Health Services also places a link to its HIPAA Privacy Policy in the footer of its website to allow for easy access and prominent placement of this legal page:

Highlight legal link from Floyd Memorial Hospital

Example from AmeriHealth

AmeriHealth includes the link to its HIPAA Privacy information in the main "Privacy Policy" section of its website. This section is divided into a "HIPAA Privacy" section and a general "Website Privacy" section:

Legal links to HIPAA Privacy from AmeriHealth

Example from Delta Dental

Delta Dental places its HIPAA Notice of Privacy Practices within its "Legal Notices" section, under a "Privacy and Security" subheading.

This kind of placement of these legal agreements helps users find Delta Dental's HIPAA Privacy Policy agreement, and also makes it clear to users that the legal pages deals with legal issues as well as issues of privacy of health data.

Section of Legal Notices from Delta Dental website

Example from University of Denver

The University of Denver places its HIPAA Privacy Practice under the "About Us" section of its website along with other important information about the University's Health and Counseling Center.

Link to HIPAA Privacy Information from University of Denver

A link is also placed in the "Quick Links" section that's located on the bottom half of every page. This location helps users find the link quickly and easily, and also shows its importance.

Highlight legal links from Quick Links section for University of Denver

Example from Washington Radiology Associates

Washington Radiology Associates, P.C., places a link to its HIPAA/Privacy Policy in the "Patient and Office Guide" box of links:

Washington Radiology: Highlight link to HIPAA Privacy

HIPAA Compliance Checklist

Before you start designing an HIPAA compliance program and change your agreements to reflect it, consider these potential security problems and how they affect your online service or app:

  • Mobile and wearable devices are easily lost and stolen, leaving data vulnerable.
  • Email and social media make it easy to post something that violates HIPAA.
  • Push notifications containing PHI are possible HIPAA violations.
  • Users may breach PHI either carelessly by failing to take precautions or intentionally.
  • Not all of your users employ screen-lock security or passwords on their mobile devices, leaving any PHI available to whoever comes across the device.
  • Mobile devices like iPhones do not contain keyboards so users are more likely to create basic passwords that are not as safe.

Even if your service is only available online and not through a mobile app, keep in mind that laptop computers get stolen and many users have tablets that they use like a computer.

This makes your service just as portable as if you created a mobile app and just as easy to compromise.

Business practices

Therefore, you will want to implement the following practices whether you provide a mobile app, online service or both:

  • Unique user identification.

    Every user needs to have a login name or number to make it easy to identify and track them. Attempt to move away from obvious login information like first and last names.

    Create unique identifiers that are not simple to guess.

  • Emergency access procedures.

    While you want the information locked up tight, it should still be accessible by authorized medical and emergency personnel. Create a system where this is possible yet make it secure.

    You have to comply with HIPAA but also meet the needs of your clientele.

  • Automatic logoff.

    Many privacy issues can be avoided if apps or online services contain an automatic logoff. Fifteen minutes of inactivity is the standard but users may prefer to keep that window shorter or longer.

  • Encryption and decryption.

    You want to encrypt PHI whenever possible as that reduces inappropriate access and use.

    However, you want to assure that authorized users will not discover gibberish when they look up this information during a medical event.

  • Audit control.

    This includes processes that examine and record activity when PHI is accessed.

    Hardware, software, and procedural guidelines should record who accesses the information, the purpose for the access, and the health conditions examined through the records.

  • Authentication mechanisms.

    Login information can be stolen.

    For the most sensitive information, include additional steps such as thumbprint readers, additional personal questions to the user, and any other steps to assure the one accessing the data is authorized.

  • Integrity controls.

    Limit who may modify information or change its privacy settings.

    If there are modifications, set up a detection method so another authorized person is notified of what just occurred.

  • Review your agreements.

    You may wish to include HIPAA references in your Privacy Policy or Terms of Service.

    Another option is to create separate HIPAA documents or perhaps a clearly worded FAQ. There are many options described here from minimalist to overkill.

    As with any other policy, it depends on your level of risk adversity.

Clauses to have in HIPPA Privacy Policy

Now that you have an idea of how these legal agreements, the Privacy Policies, can be linked to a website that collects and uses health data of users, and how they can be titled differently, let's take a look at how the agreements themselves are structured.

The following are the key clauses and disclosures found in most Privacy Policy agreements that are compliant with the HIPAA act:

  • Introduction
  • Permitted Uses & Disclosures
  • Other Uses/Special Situations
  • Your Rights
  • Complaints
  • Contact Information

Note that these clauses or disclosures may be named differently from agreement to agreement, and some agreements may include additional clauses, depending on various factors: business model of the company, additional health data collected etc.

Introduction

The "Introduction" disclosure doesn't have to be labeled as such, but it can be.

It's where you introduce that this - the legal page, the legal agreement - is a "HIPAA" Privacy Policy or "HIPAA" Privacy Notice and that it describes how medical information will be used and disclosed.

It's usually used as a quick summary of the content found in the rest of the agreement. You can include a statement that tells that you - the company collecting and using health data - is required by law to maintain the privacy of "Protected Health Information" and that you're required to provide users with a copy of your current legal agreement, upon request.

Here's an example of an "Introduction" clause from the HIPAA Policy of Phelps Memorial Hospital Center:

Introduction clause from HIPAA Privacy of Phelps Memorial Website

Another example of the "Introduction" clause from the HIPAA Notice of Privacy Practices of Delta Dental is below.

Note how the structure is different than Phelps, but the general information outlined remains the same:

Introduction clause from HIPAA Notice of Delta Dental

Permitted Uses and Disclosures

This type of section in an HIPAA Notice, the "Permitted Uses and Disclosures", is where the company/organization/medical clinic spells out how it will use and disclose protected health information.

This type of disclosure usually has three sub-sections, among medical clinics: "Treatment", "Payment", and "Healthcare Operations".

The example below from Washington Radiology shows a breakdown of the three main sub-sections, as well as general examples of what would fall under each sub-section.

Uses and Disclosures clause from HIPAA Notice of Washington Radiology

Here's another example of how Delta Dental has structured this disclosure section.

Note how there is no separation of the "Treatment", "Payment', and "Healthcare Operations" sections, but they're all mentioned in the header of the clause and all covered within the clause.

Permitted Uses clauses from HIPAA Notice of Delta Dental

Other Uses/Special Situations

Occasionally there will be special situations where the permitted uses and disclosures of personal health information will be different than the usual.

In the example below, Floyd Memorial Hospital and Health Services lists out all of the special situations where personal health information will be disclosed without needing the typically required authorization for disclosure.

Other Uses clause in HIPAA Notice of Floyd Memorial

Below is an example of how Washington Radiology breaks down this "Other Uses/Special Situation" clause.

Patients are informed that other disclosures aside from those mentioned in the previous clause may occur, but not without written permission, unless a situation permitted or required by law as described in the following section occurs.

This can be a good way to let patients know the differing levels of disclosure and requirements for consent or authorization prior to disclosures.

Other Uses clause from HIPAA Notice of Washington Radiology

Your Rights

Perhaps the most important clause of a Privacy Policy agreement that needs to discuss the HIPAA act and users' rights is the "Your Rights" clause.

This clause spells out the rights of the users or patients in regard to the HIPAA act.

There are 7 rights granted to patients through the HIPAA Privacy Rule and each should be included in this clause.

Below is an example from the legal agreement of Phelps Hospital of a clearly numbered breakdown of rights of patients:

Your Rights clause from HIPAA Notice of Phelps Memorial

Washington Radiology takes the approach of summarizing each right in a first summary sentence, then describing the right in further detail in the following paragraph. This can help the user locate specific information faster:

Your Rights clause from HIPAA Notice of Washington Radiology

Make sure that you include a section for each of the 7 patient's rights as outlined by the HIPAA act.

Complaints

This type of section is where you provide users/patients with information about whom the user or the patient should contact if it's believed that their privacy rights have been violated.

You can let a user/patient know that they will not be retaliated against for filing a complaint. In the example below, a phone number for someone at the organization has been provided, as well as federal complaint information:

Complaints clause in standard HIPAA Notice

Contact Information

You must provide users and/or patients with your contact information, such as a phone number, email address, and physical/mailing address where you can be contacted:

Contacts clause in HIPAA Notice of Delta Dental