HIPAA and Healthcare Applications, Part 3 of 3: What You Need to Know About Data Transfer

We’ve come to the final installment of our three-part series decoding the Security Rule section of HIPAA in connection with healthcare application development. This rule’s detailed guidance on the degree to which the transmission and storage of electronic protected health information (ePHI) must be kept safe makes it especially relevant to patient portal and mHealth app development. Here, we’ll go over how it applies to data transfer, with particular regard to encryption and notifications. Don’t forget to check out the first post and second post in this series, where we go over user authentication and auditing.

Is Encryption Required?

Although the Security Rule does not technically require encryption, it does consider it to be addressable. This means that if an entity determines that its implementation is not plausible, it must document the specific reasoning behind the decision not to encrypt data and must employ a comparable alternative measure to ensure the protection of ePHI.  This does not mean, however, that providers can tread lightly when it comes to encryption.

The rule specifically states that “…a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.” The important takeaway from this is that an entity is required to encrypt whenever it is feasible. In the event of an audit, if a “reasonable appropriate alternative” was implemented, the entities’ documentation will be reviewed to determine whether the ePHI is being kept safe.

Are cloud or virtual servers acceptable for use?

Cloud or virtual servers are permissible as long as they comply with current HIPAA standards. A couple of important points to consider are whether the server is auditable, and whether the provider is willing to include a BAA, or business associate agreement, in the contract. It is particularly important that a server undergoes the required yearly audits examining its data center and infrastructure. If this requirement has been satisfied, the provider should be able to produce a summary document as evidence of the audit. Adhering to HIPAA standards also requires that servers sign a business associate agreement. The signed BAA should include everything indicated in the sample agreement provided by the Department of Health and Human Services.  

Can ePHI be included in push, email, text, and interactive voice response notifications?

We touched on whether ePHI can be included in email and SMS notifications back in August, and you can can check out the original article here. There are two main things to note about the communication of ePHI in notifications. First of all, the safest way to maintain the safety of the information, is to avoid its explicit inclusion via these notifications altogether. Second, if ePHI is included, it the responsibility of the provider to encrypt the information unless given express permission by the patient not to do so. The patient must be made aware of the risk of receiving unencrypted ePHI, and must request to receive information in this manner despite the risks. 
While there are many rigid standards, the specifications of the Security Rule are not meant to be insurmountable. The rule is designed to be flexible enough to accommodate a variety of Covered Entity and Business Associate structures and sizes.

Data transfer is an important part of the Security Rule section of HIPAA compliant messaging, but is only a small part of what the rule addresses. Read our previous posts on authentication and auditing.