Considerations for building HIPAA compliant websites and applications

Disclaimer 

This article is for informational purposes only. Easie does not intend the information or recommendations in this article to constitute legal advice.  You are  responsible for independently evaluating your own particular use of services as appropriate to support your legal compliance obligations.

Definitions 

Any capitalized terms used but not otherwise defined in this document have the same meaning as in HIPAA.  Furthermore, for the purposes of this document, Protected Health Information (PHI) means the PHI you receive from or provide to a Covered Entity.

Pursue an asymmetric risk profile in business

There is no certification for HIPAA compliance

A critical responsibility for you is to determine whether or not you are a Covered Entity (or a Business Associate of a Covered Entity) and, if so, whether you require a Business Associate Agreement for the purposes of your interactions.

Cloud resource providers enter into Business Associate Agreements with customers as necessary under HIPAA.

While most cloud resource providers offer a secure and compliant infrastructure for the storage and processing of PHI, you are responsible for ensuring that the environment and applications that you build on top of the cloud platform are properly configured and secured according to HIPAA requirements.

This shared responsibility is referred to as the shared security model in the cloud (see figure 1.2).

Note the difference in responsibility “in” the cloud (you) versus responsibility “of” the cloud (cloud resource provider).  Amazon AWS notes the importance of the shared security model in the following quote:

“Customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall. Customers should carefully consider the services they choose as their responsibilities vary depending on the services used, the integration of those services into their IT environment and applicable laws and regulations.” (3)

It is important to note that there is no certification recognized by the US HHS for HIPAA compliance and complying with HIPAA is a shared responsibility between you and your service providers.  HIPAA requires compliance with the Security Rule, the Privacy Rule and the Breach Notification Rule.  Enterprise cloud platform service providers (e.g. AWS, Google Cloud, etc.) generally support HIPAA compliance (within the scope of a Business Associate Agreement), however, ultimately you are responsible for evaluating your own HIPAA compliance.  Non-compliance with HIPAA can lead to serious legal consequences.

PaaS versus IaaS platforms 

Cloud resource providers like AWS and Google Cloud offer infrastructure as a service (IaaS) to provide services around underlying network infrastructure like physical computing resources, location, data partitioning, scaling, security, backups, etc.

Despite IaaS being a beneficial and a critical component of the shared security model, it provides an incomplete coverage of the key additional application infrastructure needed to support developing and deploying a HIPAA-compliant technology stack. 

Whereas platform as a service (PaaS) companies provide cloud computing services that provide a platform that allows customers to develop, run and manage applications without the technical complexity of building and maintaining the infrastructure typically associated with developing and launching an app. 

PaaS also allows for software engineering with dramatically reduced complexity; development of the application can be more efficient based on built-in infrastructure resources and auditing/maintenance is typically easier as well.

PaaS downsides include significantly higher monthly pricing (especially at scale), less customizability and lack of features (see figure 1.3).

There are PaaS companies with HIPAA-compliant products such as MedStack, Aptible and Caspio.

Institutional review board (“IRB”) ethics certification 

An institutional review board (“IRB”) is a formal committee that conducts review for a given research scope by analyzing the methodology proposed to ensure that they meet ethical standards.  These boards approve or reject, monitor and review research involving humans.

The purpose of IRBs is to protect participants from physical, emotional or psychological damages by reviewing research protocols and associated exhibits/materials.  A protocol in this context is the detailed plan for conducting a study and this document is submitted as an exhibit with the IRB application.  A grant may also substitute for a protocol document in an IRB submission.

An IRB is also legally required in the United States for most studies involving biomedical and behavioral research on humans under 45 CFR part 46 with some limited exceptions.  IRB guidelines generally require that exemption determinations be made by an IRB representative rather than the IRB committee themselves.

Creating a formal research scope and an initial protocol for your business model to obtain an IRB certification can provide the foundation for much broader applications with your data.  An IRB can be purchased commercially starting at around $1,000 and takes approximately two weeks for an IRB committee to complete after the application is received.

Conclusion 

There is no certification recognized by the US HHS for HIPAA compliance and complying with HIPAA is a shared responsibility between you and your cloud resource providers.  HIPAA compliance is extremely serious and non-compliance can lead to severe legal ramifications.

Further, building a HIPAA compliant, full-stack application from the ground-up is extremely expensive and time-consuming to develop.  Instead, we suggest using a PaaS product to support creating the minimum viable product, then build more advanced versions of the application iteratively. 

You must determine whether or not you are a Covered Entity based on your business model.  Getting an IRB certification provides opportunities for research and is likely legally required in the United States before any research can happen.  Easie can help you make these design decisions as you move forward with this project.

Easie can help you build your next big project

Schedule a free 15 minute consultation to see how Easie can work for your unique situation.

Do whatever you want 100% of the time.

Citations 

1. https://www.hhs.gov/hipaa/for-professionals/index.html

2. https://cloud.google.com/security/compliance/hipaa

3. https://aws.amazon.com/compliance/shared-responsibility-model 

4. https://www.hhs.gov/ohrp/regulations-and-policy/regulations/45-cfr-46/index.html

5. https://blog.dashsdk.com/proprietary-hipaa-platforms-a-hard-sell/#:~:text=One%20option%20in%20the%20marketplace,support%2C%20monitoring%2C%20and%20service

6. https://www.soeasie.com/blog/operational-excellence-best-practices