Question

What are the HIPPAA regulations & criteria for software application that contains PHI of

user?

Answer 1

HIPAA, stands for the Health Insurance Portability and Accountability Act of 1996, which is US legislation that sets data privacy and security provisions for safeguarding and protecting medical information like medical records and other identifiable health datas.

Protected health information (PHI)  may be defined as any data that can be used for identifying a patient.

PHI consists of two parts: health information and personal identifiers.

HIPPAA regulations & criteria for software application that contains PHI of users are:

1. Access control

Any system that stores PHI should have a  limit that  who all can view or modify the sensitive data. As per HIPPAA Privacy policy, no person should see more patient information than for  their job. This rule also specifies de-identification, patient’s rights to view their own data and their ability to give or restrict the access to their PHI.

2. Person or entity authentication

Once you’ve assigned privileges, your system should be able to verify that the person trying to access PHI is the one that he/she claims to be. The law provides several general ways in which you can implement this safeguard:

• Biometrics (e.g.fingerprint, voice etc)
• Password;
• Physical means of identification (e.g. a key, card, or a token);
• Personal Identification Number (PIN).

3. Transmission security

One should protect the PHI you send over the network and between the different tiers of the system.

4. Encryption/decryption

Encryption is the best possible mean for ensuring PHI integrity. Even if hackers managed to steal your data, it’d look like a gibberish without the decryption keys.

Unencrypted laptops or any other portable devices are a common source of HIPAA breaches. To be safe, it is recommended to encrypt the hard drives of all devices that contain PHI.

5. PHI disposal

One is dull to permanently destroy PHI when no longer needed. As long as its copy remains in one of your backups, the data isn’t considered as  “disposed of”.

6. Data backup and storage

Backups are essential for data integrity. A database corruption or a server crash could easily damage your PHI. Hence it’s  better to have multiple copies of your PHI stored in various different locations.

8. Automatic logoff

A system with PHI should  be in a way that it automatically terminate any session after a set period of inactivity. To continue, the user would have to re-enter the  password or authorize in some other way. This would helps in protecting PHI if someone loses his/her device while logged into the app.

If you liked the answer, please Up Vote. Thank you!