HIPAA was passed in 1996, and among other things, outlines the requirements for the management of, storage, and transmission of protected health information (PHI) in both physical and digital form. While the original legislation pre-dates the rise of the commercial Internet (and the iPhone by a decade) its rules govern the use of this special type of personal data by applications on the web and mobile device.

With any twenty-year-old pienc of legislation that was written in a world without smartphones, tablets, and heck, even webmail, HIPAA is full of requirements that are confusing and challenging, particularly for software developers who have to make sense of them as they relate to their product and the underlying technologies that we all use regularly to build and deliver applications to our customer bases.

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

HIPAA violations are expensive. The penalties for noncompliance are based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. Violations can also carry criminal charges that can result in jail time.

Fines will increase with the number of patients and the amount of neglect. The lowest fines start with a breach where you didn’t know and, by exercising reasonable diligence, would not have known that you violated a provision. At the other end of the spectrum are fines levied where a breach is due to negligence and not corrected in 30 days. In legalese, this is known as mens rea (state of mind). So fines increase in severity from no mens rea (didn’t know) to assumed mens rea (willful neglect).

The fines and charges are broken down into 2 major categories: Reasonable Cause and Willful Neglect. Reasonable Cause ranges from $100 to $50,000 per incident and does not involve any jail time. Willful Neglect ranges from $10,000 to $50,000 for each incident and can result in criminal charges.

The Security Rule Technical Safeguards are the technology and related policies and procedures that protect EPHI and control access to it. The Technical Safeguards standards apply to all EPHI. The Rule requires a covered entity to comply with the Technical Safeguards standards and provides the flexibility to covered entities to determine which technical security measures will be implemented. Together with reasonable and appropriate Administrative and Physical Safeguards, successful implementation of the Technical Safeguards standards will help ensure that a covered entity will protect the confidentiality, integrity and availability of EPHI.

(Compliance Deadlines No later than April 20, 2005 for all covered entities except small health plans, which had until April 20, 2006 to comply.)

“the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”

“the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.”

“Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”

“the property that data or information have not been altered or destroyed in an unauthorized manner.”

The Integrity standard requires a covered entity to: “Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.”

“Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”

“Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”

The Security Rule’s Physical Safeguards are the physical measures, policies and procedures to protect electronic information systems, buildings and equipment. Successfully implemented, these standards and implementation specifications should help protect covered entities’ EPHI from natural and environmental hazards, as well as unauthorized intrusion. All of the Physical Safeguards are designed to protect the confidentiality, integrity, and accessibility of EPHI.

“Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.”

“an electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.”

“Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.”

“Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.”

All of the standards and implementation specifications found in the Administrative Safeguards section refer to administrative functions, such as policy and procedures that must be in place for management and execution of security measures. These include performance of security management process, assignment or delegation of security responsibility, training requirements, and evaluation and documentation of all decisions.

“administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”

“Implement policies and procedures to prevent, detect, contain and correct security violations.”

“Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart [the Security Rule] for the entity.”

“Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under [the Information Access Management standard], and to prevent those workforce members who do not have access under [the Information Access Management standard] from obtaining access to electronic protected health information.”

“Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part [the Privacy Rule].”

“Implement a security awareness and training program for all members of its workforce (including management).”

“Implement policies and procedures to address security incidents.”

“Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.”

The Contingency Plan standard includes five implementation specifications.

1. Data Backup Plan (Required)

2. Disaster Recovery Plan (Required)

3. Emergency Mode Operation Plan (Required)

4. Testing and Revision Procedures (Addressable)

5. Applications and Data Criticality Analysis (Addressable)

“Perform a periodic technical and non technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart [the Security Rule].”

“A covered entity, in accordance with maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a) [the Organizational Requirements] that the business associate will appropriately safeguard the information (Emphasis added).”