HIPAA Compliance for SaaS
HIPAA compliance for SaaS consists of ensuring the software product or service complies with all applicable Security Rule standards, and that the product or service includes capabilities that can be configured to support end-user HIPAA compliance.
HIPAA compliance for SaaS is one of the many HIPAA-related topics full of if, buts, and maybes. In this case, the reason for there being so many possible answers to questions about cloud services is because the original Health Insurance Portability and Accountability of 1996 Act was enacted long before cloud services were commercially available.
The subsequent HITECH Act of 2009 and the Final Omnibus Rule of 2013 make limited references to any technical specifications, leaving many developers, service providers and hosting companies in the dark about HIPAA compliance for SaaS. However, there are some guidelines and best practices businesses developing, providing or hosting cloud services should adopt.
What is HIPPA Compliance for SaaS?
In relation to software developers and service providers, HIPAA compliance for SaaS means adherence to the administrative, technical and physical safeguards of the HIPAA Security Rule – provided the products you develop or the services you provide involve the creation, receipt, storage, or transmission of Protected Health Information (personally identifiable health data about an individual). For example:
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
- If you are software developer, and you build an application that collects personally identifiable data about an individual that may later be shared with a medical professional, you are subject to HIPAA compliance for SaaS developers.
- If you are a service provider whose clients create, receive, store, or transmit Protected Health Information through your services, you are subject to HIPAA compliance for SaaS providers and will need to enter into a Business Associate Agreement with clients.
With regard to SaaS hosting companies, there is no specific provision in the HIPAA Security Rule safeguards that opposes the architecture of a cloud server, VPS server, or SaaS application – even though by nature these are “shared” architectures. However, most HIPAA-covered Covered Entities and Business Associates will want to know that you offer an HIPAA-eligible option.
Key Areas of HIPAA Compliance for SaaS Providers and Hosting Companies
For most developers building eHealth apps for personal use, HIPAA compliance will not be an issue. For SaaS service providers and hosting companies, the key areas to focus on are the administrative, technical and physical safeguards of the HIPAA Security Rule.
The administrative, technical and physical safeguards are intended to prevent the unauthorized disclosure or use of Protected Health Information while it is at rest or in transit, and – in respect of HIPAA compliance for SaaS providers and hosting companies – focus on facility controls, access controls, user authentication, and transmission security.
The Difference between Required Safeguards and Addressable Safeguards
In all circumstances, if a safeguard is “required”, it is compulsory. The safeguard must be implemented and there are no exceptions. “Addressable” safeguards have been interpreted by some as a safeguard “we must get around to addressing sometime in the future”. This is not the case – especially in relation to HIPAA compliance for SaaS providers and hosting companies.
An addressable safeguard is one that must be implemented unless a suitable alternative is implemented in its place, or it is determined the addressable safeguard is unnecessary in the circumstances. The reason(s) why an alternative or no safeguard is implemented must be chronicled after conducting a risk assessment and developing a risk mitigation strategy – both of which must also be chronicled.
An example of an “addressable” safeguard that takes on a different context when applied to SaaS providers and hosting companies is encryption. A healthcare provider could implement an alternative or no safeguard if the PHI created, used and maintained was confined to a private, secure network. This could not be the case in the context of HIPAA compliance for SaaS providers and hosting companies and so the safeguard of encryption would become “required”.
HIPAA Compliance for SaaS: FAQs
Is HIPAA the only law that developers and SaaS providers have to comply with?
No. Certain medical devices and services are subject to §201(h)(1) of the Food, Drug, and Cosmetic Act which is regulated by the FDA, while vendors of personal health application and service providers to the personal health industry have to comply with the Health Breach Notification Rule of the HITECH Act. These requirements are enforced by the FTC.
Do developers and vendors with “zero knowledge” of PHI still have to comply with HIPAA?
On the “for professionals” section of its website, HHS states that cloud service providers (which includes any SaaS product or service that collects, receives, maintains, or transmits PHI) is considered to have “persistent access” to PHI even if operating under a zero knowledge model and must enter into a Business Associate Agreement with the organization it is providing a service to.
In the context of HIPAA compliance for SaaS, what is a “HIPAA-eligible option”?
HIPAA-eligible options are products or services which can be configured by a HIPAA Covered Entity or Business Associate to be HIPAA compliant. This enables developers and service providers to build apps or provide services that can be used by the general public without having to constrain the capabilities of the product or service to only entities subject to HIPAA.
What is the “flexibility of approach” standard in the Security Rule?
The flexibility of approach standard (§164.306) allows Covered Entities and Business Associates to implement whatever security measures best meet their compliance requirements. This does not mean that some implementation specifications can be overlooked. It simply allows a degree of choice based on the organization´s existing infrastructure and software security capabilities.
What if a vendor supplies a SaaS service that does not collect, store, or transmit PHI?
This depends on whether or not the service could be used to collect, store, or transmit PHI. A good example of this is password managers with secure messaging capabilities. Normally, these solutions would be used to store and autofill login credentials – in which case HIPAA compliance and Business Associate Agreements are not an issue.
However, if a password manager is used store or transmit PHI – even against an organization´s usage policy – the software has to be capable of being configured to Security Rule standards and a Business Associate Agreement has to be in place as the password manager vendor will qualify as a Business Associate.
