Tag Archives: HIPAA

HIPAA Compliant Healthcare Applications (Part 2 of 3): What You Need to Know About HIPAA Audits in Healthcare

This is the second part of our three-part series discussing the Security Rule section of HIPAA compliant healthcare application development. Here we’ll go over HIPAA auditing, what it means, why it must be done, the implications of not doing so, and how you should conduct a HIPAA audit.

What are HIPAA audits?

The OCR (Office of Civil Rights) can and will periodically conduct HIPAA audits on covered entities and business associates to ensure that they are safeguarding electronic protected health information (ePHI) as they should. HIPAA audits are conducted to gauge progress on compliance and to identify areas where improvement is needed.

Why you should care

In order to prevent fines associated with failed HIPAA audits, healthcare organizations should conduct regular risk assessments and take steps to prepare for HIPAA compliance audits.
There are several levels of penalties based on what a covered entity does or doesn’t do in accordance with HIPAA. Read the following to learn more: Is Your Healthcare Patient Portal HIPAA Compliant?

HL7, FHIR, API

HIPAA audit log requirements

The HIPAA technical safeguards rule[¹] for covered entities were created to ensure that controls are in place for monitoring activity on electronic systems that use or contain ePHI. These entities must also have policies in place to systematically review and monitor audit records to establish that all activity on these electronic systems is appropriate. Logons and logoffs, file accesses, updates, edits, and security incidents are a few examples of activities that should be monitored.

The only obligatory audit is a risk analysis[²], which is required regardless of a provider’s size. In this analysis, providers must accurately determine whether potential vulnerabilities and risks to the integrity, confidentiality, and availability of ePHI exist within their systems. Conventional controls for these audits generally include the application of software, hardware, and/or procedural mechanisms that analyze activity in systems containing ePHI.

Rule 45 CFR § 164.316 states that audit records must be retained for six years[³] from the date of its creation or the date when it last was in effect, whichever is later. Logs of system activity and records of security breaches are examples of information that must be available from audits within six years.

Use a HIPAA compliant patient portal

Implementing HIPAA compliant patient portal software can ensure that your company is always ready for a HIPAA audit. Bridge Patient Portal ensures HIPAA compliance by:

  • Going through multiple rounds of third-party HIPAA audits
  • Being ONC 2015 Edition certified
  • Conducting regular risk assessments
  • Regularly reviewing records of system activity, including audit logs, access reports, and security incident tracking reports
  • Maintaining ePHI integrity requirements by implementing information systems such as checksum verification or digital signatures
  • Employing a full-time compliance officer
  • Auditing is an important part of the Security Rule section of HIPAA but is only a small part of what the rule addresses.

This was the second part of our three-part series discussing the Security Rule section of HIPAA compliant healthcare application development. Catch up on Part 1: What You Need to Know About User Authentication or continue onto Part 3: What You Need to Know About Data Transfer.

  1. LII / Legal Information Institute. (n.d.). 45 CFR § 164.312 – Technical safeguards. [online] Available at: https://www.law.cornell.edu/cfr/text/45/164.312.
  2. Office for Civil Rights (OCR (2010). Guidance on Risk Analysis. [online] HHS.gov. Available at: https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html.
  3. Compliance Deadlines What is the Security Series? (2005). [online] Available at: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/pprequirements.pdf.
Pablo, our Chief Information Security Officer, architected and manages Bridge’s HIPAA-compliant hosting infrastructure. He is an Amazon Web Services (AWS) Certified Solutions Architect and is about to receive a Masters degree from the University of Buenos Aires in Computer and Information Systems Security and Information Assurance. He has a passion for all things related to cybersecurity and cloud hosting.

HIPAA Compliant Healthcare Applications, Part 1: What You Need to Know About User Authentication

Updated on July 23, 2020.

Of the three main components of HIPAA (the Privacy Rule, Security Rule, and Breach Notification Rule) the Security Rule is particularly relevant to healthcare mobile app development. The majority of these applications, from patient portals to mhealth apps, store or transmit electronic protected health information (ePHI). It’s essential to keep this information safe, and the Security Rule has in-depth guidance on the extent to which this needs to be accomplished, but with a fair amount of flexibility as to the strategies for implementation.

Here, we decode the Security Rule as it applies to the patient portal and mHealth app development, specifically in regards to user authentication. In Part 2 of this series, we cover auditing, and in Part 3, we discuss issues related to data transfer, such as encryption and notifications.

What is an Appropriate Level of Authentication for Online Patient Access to Health Information?

During HIPAA compliant healthcare application registration, healthcare organizations need to set up procedures that verify the person’s identity requesting access to ePHI. There is a false belief that the only way to ensure the user is who they claim to be is for registration to be done in person, within the practice — aided by a staff member. While this is an option — considered outdated by some — it is not a HIPAA requirement. An alternative option is for a patient to provide an email address over the phone and receive an invitation to register for the healthcare mobile app platform. Providing your email address in person is considered more credible than most setup authentications on the web, where the email address is entered into a registration form. Patients could also register autonomously, also referred to as self-registration. While these two remote options are less secure than in-person authentication, they are preferred for convenience. Additional verification can be added by asking the patient challenge questions produced by a 3rd party such as IDology during registration.

A simplified registration process increases healthcare application use, such as a patient portal. And increased patient portal use results in improved patient engagement, more efficient patient appointment scheduling and cancellations, and enhanced treatment plan adherence.
At Bridge Patient Portal, one of the most common complaints made by healthcare organizations using other patient portals (typically bundled with their EHR vendor) is the cumbersome process patients must undergo to register.

Read More: Understanding Mobile App HIPAA Compliance

Is Multi-factor Authentication Necessary?

Multi-factor authentication is defined as requiring a patient to produce more than one type of credential when logging into an application. The majority of logins only need a user to enter information such as a username and password. In multi-factor authentication, additional information is required such as a code on a card, security token, SMS message, and/or by direct verification of identity, like a fingerprint or challenge questions. As passwords and access to email accounts can easily be compromised, multi-factor authentication is growing in popularity for healthcare mobile app platforms. While the HIPAA Security Rule does not require multi-factor authentication, it is important to thoroughly consider its provisions on information access management and access control to determine how to best account for them in your HIPAA compliant healthcare application.

 How Strong Do Passwords Need to Be?

More and more mobile app platforms now require users to adopt “strong” passwords. While HIPAA requires the use of passwords, there is no legal specification on password strength. Therefore, each healthcare organization can decide on password requirements during the application development phase. We recommend following the NIST Digital Identity Guidelines, which recommends that a password should be between 8 to 64 characters long, and all ASCII characters, including the space character, are acceptable.
It’s also essential that when a user creates or changes a password, it be tested against the following:

  • Passwords obtained from previous data breaches (One can check if an account has been compromised in a data breach on a website such as https://haveibeenpwned.com/.)
  • Dictionary words.
  • Repetitive or sequential characters (e.g. “aaaaaa” or “1234abcd”)
  • Context-specific words, such as the name of the service, the username, and derivatives thereof.


How Should Passwords Be Managed and Monitored?

HIPAA does include addressable implementation specifications on password management and login monitoring. Addressable means that an organization can decide to implement the specification as is, choose to put an alternate security measure or measures in place, or even — if the specification is not reasonable or appropriate to the particular entity — implement nothing. The key is that the decision and reasoning behind the implementation must be documented in written form, with in-depth consideration and appropriate justification demonstrated.
In this case, HIPAA stipulates that Covered Entities and Business Associates include several important features in their security awareness programs. One is to train staff on procedures for creating, changing, and safeguarding passwords. The other is that staff also learn how to monitor login attempts by external users and report any potentially problematic login activity, such as failed login attempts. Each organization needs to fully consider these addressable matters to plan, document, and implement its strategy.

What Are the Login Timeout Requirements, and How Does This Apply to a Personal Mobile Device?

HIPAA includes automatic logoff — when the application ends a user’s session after a specific period of inactivity — as another addressable implementation specification. However, the time to logoff is not stated. In choosing the number of minutes of allowed inactivity before a session is terminated, it’s essential to consider on what device and in what environment the application will be used. If you’re working with a mhealth app or HIPAA compliant messaging that will be used by patients on their phones anywhere they go, including crowded areas, a short time to logout of 2 to 3 minutes is advisable. However, if you’re working on the physician’s side of an application used in a private doctor’s office, a longer time to log out, like 10 to 15 minutes, is acceptable.

patient portal mobile app
After a predetermined period of inactivity, a patient is required to re-enter their long-form, complex, secure password. Biometric authentication simplifies the login process and allows patients to seamlessly verify their identity through fingerprint or facial recognition technology before accessing the HIPAA compliant healthcare application.

We’ve only scratched the surface of the Security Rule. Check out Part 2 (HIPAA auditing) and Part 3 (encryption, servers, and notifications to patients).

Pablo, our Chief Information Security Officer, architected and manages Bridge’s HIPAA-compliant hosting infrastructure. He is an Amazon Web Services (AWS) Certified Solutions Architect and is about to receive a Masters degree from the University of Buenos Aires in Computer and Information Systems Security and Information Assurance. He has a passion for all things related to cybersecurity and cloud hosting.

How to Keep Your Doctor-Patient Relationship Healthy with Technology

Although healthcare IT has transformed over the years, patients have held the same expectation: to be in the care of a personable doctor who will communicate effectively and make health decisions that are in the patient’s best interest. However, doctors have constantly struggled to navigate the boundaries of a patient-doctor relationship and the use of new technology, unfortunately, could potentially complicate the issue. Below we discuss the Do’s and Don’t’s of doctor-patient interactions on online platforms. (more…)

Blake joined Bridge Patient Portal in 2016 after transferring from our parent company Medical Web Experts. Since then, he’s acted as Bridge’s Business Development Manager. Blake is passionate about driving collaboration with clients, partners, and internal teams to achieve performance goals and successful relationships.