HIPAA 101 for Software Development Teams

What I&#x27;ve learned over the last few years:<p>1) The requirements are theoretically tractable by an SMB but only just.<p>2) Non-compliance is ridiculously widespread. Ridiculously. This is partly because HIPAA prohibits people from doing things they really want to do (emailing about a patient, perhaps to that patient) and partially because the requirements are so vague.<p>3) Be prepared to use HIPAA as a pricing segmentation engine and for your providers to use it on you. Getting a BAA with Rackspace, for example, quintupled our costs.<p>4) Get insured. Because literally everyone is exposed to this and investigations are infrequent, the industry treats them like acts of God. You can insure, minimally, the cost of responding to an investigation (though my policy doesn&#x27;t cover any fines assessed) and breach notification.

From the team at TrueVault, a GitHub repo with a developer&#x27;s guide to HIPAA compliance. Similar to Aptible, they pitch themselves within the guide but still a good resource:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;truevault&#x2F;hipaa-compliance-developers-guide" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;truevault&#x2F;hipaa-compliance-developers-gui...</a>

<i>Is it reasonable and appropriate not to encrypt traffic between an app and a database inside a virtual private cloud? ... There is little official guidance for engineers and developers today</i><p>While HHS may not tell you what to do on your own private cloud, if you host on a public cloud, you&#x27;ll have to sign a BAA where the provider will tell you what you need to do to ensure HIPAA compliance of their platform. AWS, for example, requires encryption everywhere -- end-to-end encryption from the client to your servers, encrypting all PHI data sent between your servers (web, app, db servers, etc), and encrypting all data at rest.<p><a href="https:&#x2F;&#x2F;aws.amazon.com&#x2F;compliance&#x2F;shared-responsibility-model&#x2F;" rel="nofollow">https:&#x2F;&#x2F;aws.amazon.com&#x2F;compliance&#x2F;shared-responsibility-mode...</a><p>If public cloud providers require encryption everywhere, I&#x27;d sure hate to have to explain in a HIPAA audit why I thought it was not &quot;reasonable and appropriate&quot; to do the same thing in my own datacenter after investigation for a breach that used a network sniffer between my servers.<p>We had one application that did not support encryption natively, everything was sent in the clear, so we ended up setting up a point-to-point VPN between those servers to encrypt data in transit. Otherwise, AWS wouldn&#x27;t have signed off on the BAA if we could not assure them that all PHI was encrypted.

Does anyone have experience with HIPAA who is not based in the US?<p>It can obviously be useful as a sales avenue to US based customers, but I&#x27;m wondering what channels you need to go through if you are not a US based company.

This was a good read. It&#x27;s something that I can point people to, since even as a health care provider (firefighter&#x2F;paramedic) we frequently run into other levels of provider that are clueless about HIPAA and use it as an excuse to not provide information that we need. (in other words, they&#x27;re being lazy, and claiming &quot;that&#x27;s a HIPAA violation&quot; is way easier for them.)<p>It&#x27;s amazing just how misunderstood HIPAA has become.

Not subject to HIPAA as in the UK but something I&#x27;m working on stores medical data, this looks interesting though.<p>I wish the UK had something so concise.

Full disclosure: I&#x27;m an engineer at Catalyze Inc, a direct competitor of Aptible&#x27;s.<p>That being said working with payers and providers you are obviously going to want to learn the ins and outs of HIPAA. However increasingly providers, and by proxy, payers are requiring that their vendors be HITRUST certified. It is worth realizing that being HIPAA compliant will not be enough for a lot of the big players. Just something to be aware of!<p>FYI, my company&#x27;s platform is HITRUST certified, beyond the simple self-study, which, again, is often not enough for the big players in health care.

I have a place in my heart for concatenative languages. When I was a junior engineer in 1970 working on the first sealed hard disk, I used forth to build test routines for the disk. I started with transferring bytes, to seeking, up to reading any block. It went fast and was very flexible.

Asking HN commenters: Regarding HIPAA requirements, how do you get protected from malicious software on Macs?