In a Nutshell
The HIPAA regulations apply to organizations, not products or features. A company can say it is “HIPAA compliant”, but it doesn’t make sense to refer to a product that way.
If you are regulated, HIPAA requires that you ensure your organization:
- Control how you use regulated data internally and how you disclose it externally.
- Manage data security and risk with formal policies and internal controls.
- Identify and respond to security incidents and potential breaches of regulated data.
The most challenging part of a good HIPAA compliance program is being able to prove to an auditor or OCR enforcement agent that you did everything you were required to, and that you made reasonable decisions along the way.
In terms of technical implementations, HIPAA requires, “Reasonable and appropriate safeguards.” What does that mean? Good question.
To be regulated, health data must be individually identifiable and contain health information. Together, this would be what HIPAA calls “protected health information” (PHI). General personally identifiable information (PII) alone is usually not enough, but this can be tricky: PHI is a very, very broad category.
Formal audits that can result in a fine are conducted by the Office of Civil Rights (OCR) in the Department of Health and HUman Services (HHS). Sample audit. Other entities will probably run informal audits. HHS can issue fines for data breaches as well as non compliance.
HIPAA is divided into a few groups of “rules”. The rule group engineers should pay special attention to is the Security Rule, and out of the three subgroups of safeguards in the security group (Administrative, Physical and Technical) surveying the technical safeguards group will result in the largest set of action points to ensure your app is HIPAA compliant from an engineering perspective. In summary, the set of technical rules within the security rule are the most significant for engineers.
While some of these safeguards are straightforward and easy to implement, for example, “Assign a unique name and/or number for identifying and tracking user identity,” which the primary ID in a DB table satisfies, other safeguards don’t have a solution that is equally obvious. “Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency” might sound like it could be solved by an admin portal that can pull PHI for a user that forgot their password, but further reading indicates the expectation of this requirement are much deeper and realistically exceed the engineer’s sphere: “Procedures must be established beforehand to instruct workforce members on possible ways to gain access to needed EPHI in, for example, a situation in which normal environmental systems, such as electrical power, have been severely damaged or rendered inoperative due to a natural or manmade disaster.”
Aptible is an exceptional hosting option for building HIPAA compliant apps. Consider this chart diagramming the division of responsibilities between Aptible and customers. The last HIPAA strategy I wrote for a project was based on the 4 responsibilities left for customers, and I think 3 of them are routine and easy to satisfy across all projects.
Protection of credentials, tokens, secrets
Don’t commit tokens, don’t email passwords etc. Lean on Aptible’s credentials manager for Aptible resources and third party password managers like 1Password for everything else.
Web app dependency management
These are the dependencies your app requires to run. So, do the OS and system packages required to run your app (Or those that come prepackaged with the server environment) have any vulnerabilities? Don’t assume that all mainstream language Docker images are vulnerable free. Most of the Node images here have dozens of vulnerabilities reported with them. (Use an Alpine release ;-)). Aptible uses Clair to run its integrated security scans. That’s a manual process (AKA an easy to forget process) so using a container management system like Quay can help integrate security scans into the deployment process.
Web app vulnerability scanning
These are the dependencies developers normally consider. For Node projects, they’re the production dependencies in package.json (And the dependencies of those dependencies). GitHub has an integrated security scan feature that needs to be enabled for private repos, but it only monitors vulnerabilities with CVE IDs, which is not the most comprehensive vulnerability list that exists. Therefore, integrating an additional security scanner like Snyk into CI is a reasonable precaution.
This is the area where there are no easy answers. Review the technical safeguards in the Security Rule, determine which ones apply to the app you’re building, then make a strategy to satisfy them.
Enclave is their app hosting product that makes HIPAA easier for engineers. Gridiron is their product that clients and founders might appreciate in implementing a larger, organizational HIPAA strategy.