CrossComm is genuinely the first place I’ve worked where everyone is self-motivated and wants to be here. I think a lot of that has to do with our core value of social good. For me, an important component of any project I’m involved with is its opportunity to help, either through the technology, or through the organization trying to positively impact people. Any potential partner with that desire is a great fit for us, and if we want to operate effectively in that space where people and their health are the mission, we have to have a deep understanding of HIPAA.
If you’re someone that doesn’t know what HIPAA is, I promise to get you there in this blog post - at least enough where you could feel comfortable about the topic. I’ll also give you some tips on what to look out for if you’re thinking about developing an app meant to create a positive impact for any health population. Here’s a brief snapshot of HIPAA:
Since 1996, the Health Insurance Portability and Accountability Act (HIPAA) paved the way for ensuring the privacy and security of protected health information (PHI). HIPAA’s Privacy Rule, also known as the Standards for Privacy of Individually Identifiable Health information, sets ground rules to protect medical records and our personal health information. As time passed, the healthcare industry began to manage health data using electronic information systems for administrative functions and clinical care. HIPAA’s Security Rule was enacted to establish protection of PHI in electronic form (ePHI) that’s collected and managed by a covered entity and shared with business associates.
A covered entity (CE) is any health provider, health care clearinghouse, or health plan transmitting PHI, who must comply with HIPAA. If you’re not sure you’re a CE, this Covered Entity Guidance Tool might help. When a CE hires a company to perform a service or activity related to the use or disclosure of PHIs, that company is considered a Business Associate (BA). For example, CrossComm is considered a Business Associate when the CEs in our projects hope to develop software where PHI is essential. This includes apps that might hold any of the 18 individual identifiers like names, specific dates (except years), email, medical record numbers, photos, and even biometric identifiers like fingerprints.
Software and app development companies, like us, have carried health innovation forward by building technologies that capture ePHI in novel and interesting ways (think wearables, like the Apple Watch, or remote care platforms such as telemedicine, augmented reality, and virtual reality). The list of possibilities in this brave new tech world is endless, so it’s incredibly important that everyone at CrossComm is well-acquainted with HIPAA. That’s why CrossComm requires training for all employees and contractors, developers and marketing alike. It strengthens our commitment to best practices in technical, administrative, and physical security, and definitely makes my job easier as the HIPAA Privacy, Security, and Compliance Officer.
Another reason we’re so HIPAA is that we have long-standing relationships in research, and have worked with many providers and principal investigators seeking to use technology to improve health outcomes. What I’ve learned working here is that the capability of technology to positively influence our wellbeing is tremendous. Some of the things we’ve been able to accomplish with our partners include:
Now you see why HIPAA training is grounded by our commitment to developing apps for social good. It allows providers, scientists, and researchers to feel secure that their app is protected so that they can carry on in the important work they do.
Tips on How You Can Be HIPAA
I can regale you with stories of what happens if you’re not “hip to HIPAA,” but I’ve found most of our partners have heard of it, have had the required training, and occasionally carry with them a healthy fear of what could happen if health information safeguards aren’t met.
Where I see people get confused is determining how to apply HIPAA to technological tools. That’s what we’re able to provide, especially during the discovery process with potential clients. It’s in this phase we try to truly understand your goals, why and how you’re collecting data, and the end state you’d like to achieve.
My tips for anyone trying to be HIPAA in tech is to follow some of our own privacy and security checks used when we navigate our partners across the HIPAA landscape. Here’s a few tips:
Ask yourself, “How will PHI be managed?” If you plan on managing PHI outside of the software or app, make sure you’re aware of the type of identifiers and how to comply with HIPAA in your specific organization. If you’re already working with a patient population, your organization probably has a HIPAA Privacy, Security, and Compliance Officer, like me, to help you along.
If you would like your Business Associate to manage the ePHI on your behalf (in a cloud or server for example), make sure they not only know HIPAA requirements, but also understand the proper uses and disclosures of ePHI in the system and app itself. This can include helping you to navigate how to properly log on and off of the system, and knowing how to report a potential or actual security breach.
In projects where PHI is not essential, we often ask, “Could we go the HIPAA avoidance route?” If we can achieve the purpose and goals of a provider or researcher without including ePHI in the app, we can minimize the cost and risk of complying with HIPAA requirements. We recommend that in every phase of conceptualizing your app, think about how you can limit PHI to only that which is minimum necessary - or not include it at all - while still accomplishing your intended goals and purpose.
Once you’ve determined the minimum PHI required, you can start brainstorming cost-saving alternatives. We understand the limited funding research scientists can face, so we’re cognizant of the need to think through all the possible technological avenues they can take. For example, there are features you can incorporate in your app, like generating random user/patient IDs, or storing identifiers outside of the app. By doing this, none of the work we do on the development or database side collects the sensitive information. In a nutshell, we try to think through the financial limitations our partners might have, and often they don’t realize that something as simple as the randomization of an ID number is an acceptable cost-effective possibility. Additionally, from a cybersecurity standpoint, these alternatives are safer than associating first and last names with patient data.
Lastly, we know not everyone can achieve HIPAA avoidance. Once we identify that there’s a need to comply, we’ll go through the due diligence of adding multiple cybersecurity layers to make sure that all collected PHI is protected. This requires you to understand how your data flows from user input to the cloud, where it will eventually reside in a database. One way to do this is to think through how your users interface with the technology and where they’ll be inputting and retrieving PHI. On the technological side, this will help your app developer determine the encryption needs at rest (when it's in the database) and encryption in transit (when it’s flowing to the app). Encryption deserves a blog post on its own, so I won’t go into it in rich detail. Just know that encryption protects your data by scrambling the text of your PHI into an unreadable format. This helps protect the confidentiality of PHI in your project.
There’s so many more tips I can give, but I leave you with a final key take-away you may find surprising: you don’t really have to be hip to HIPAA. Instead, you can find yourself a technology partner who takes HIPAA seriously, so you can concentrate on what you love: your mission to make a difference.
If you'd like to create a health software or app with us, we welcome your email at firstname.lastname@example.org
Stella Cox is Chief of Staff at CrossComm and has previously held key positions as Project and Program Manager. Stella has a diverse managerial background, having served 4.5 years in the US Army as Logistics Officer, Quality Manager at Dr. Pepper Snapple Group, and Director of Operations and Compliance at a regional recycling company in Upstate New York. She has a BS in Policy Analysis and Management from Cornell University, and is currently an MBA candidate at UMass Amherst. Stella resides in Chesterfield, VA with her husband and two dogs: Ralph and Suzie.