Solutions for companies that need to build HIPAA compliant software applications.
HIPAA (The Health Insurance Portability and Accountability Act of 1996)
and
HITECH (Health Information Technology for Economic and Clinical Health Act)
Privacy and security regulations
These regulations are specific to clients that maintain Protected Health Information (PHI or ePHI) and
contain requirements for not only the application that is developed, but also an organization's internal procedures for disclosure and protection
of PHI in their systems.
There are very specific security controls that a software application must meet, including encrypting data in transit and at rest.
An organization must sign a BAA (Business Associate Agreement
or Business Associate Addendum) with any provider / partner within their system's architecture that will
process or store PHI at any point in the application's workflow. This agreement is to ensure that the business associate will safeguard
the PHI.
When building an application on top of cloud services, those services must be "HIPAA Eligible" as defined
by the cloud provider under the terms of the BAA. Beyond the BAA, the cloud services must be configured in a compliant manner that secures the data.
While this all sounds very complex for a small team that wants to build the next big health care application,
cloud services actually help drive innovation when managed correctly. Through a shared responsibility model,
the cloud service providers take away the headaches of maintaining hardware and the security controls associated with managing
on premises data centers or servers.
We help small companies achieve HIPAA compliance by creating easy to maintain management and security
policies using modern version control applications. Other services include BAA contract reviews
and audits to create a shared responsibility baseline that leverages the power of your cloud service provider's existing SOC 1/2/3, and ISO 27001 certifications.
Compliance consulting services for HIPAA / HITECH security and privacy controls:
- Assistance to conduct initial or follow up HIPAA assessment
- Audits of cloud provider(s) / data center(s) to establish compliance and shared responsibility baseline
- Gap analysis
- Remediation planning to meet HIPAA compliance to controls matrix
- BAA reviews and policy continuity management
- Consulting for updating and/or creating internal security / standard operating procedures
- Conducting third party Pen Testing (penetration testing) and vulnerability scans with reporting
- Consulting for continuous monitoring programs
- Conducting third party internal audits
- SDLC review and consulting for compliance
- Software Quality Assurance review and consulting for compliance
Contact us today. We would be happy to discuss your software compliance needs for HIPAA privacy and security.