This document discusses best practices for developing HIPAA compliant applications, focusing on cloud and mobile applications. It covers compliance requirements before and during use of public clouds, recommends using a HIPAA compliant cloud provider and signing a business associate agreement. It also discusses software development practices like separating environments, data integration and third party integrations. Additional topics include operating a HIPAA compliant solution, and keeping mobile apps compliant by encrypting data and limiting PHI in notifications.

1. How To Develop
HIPAA Compliant
Applications
Focusing on Cloud and Mobile Applications

2. How To Develop HIPAA Compliant Applications
▪ Introduction
▪ Compliance Before the Public Cloud
▪ Compliance During the Public Cloud
▪ 3rd Party Cloud Options for Compliance
▪ Software Development Practices for Compliance
▪ Operating a HIPAA Compliant Solution
▪ Keeping Mobile Apps Compliant

3. Introduction – Joel Garcia
▪ Engineering – Symantec – Host Intrusion Detection, Symantec Security Incident
Manager
▪ VPECTO – MedVantage acquired by IMS Health – Clinical Quality and
Affordability Metrics for Providers. Big Data from Claims and Episode Treatment
Groups – HIPAA Compliant before the Cloud
▪ VPE – LiveVox acquired by Golden Gate Capital – Cloud based hosted dialer.
PCI and SAS70
▪ AllCode – CTO – Developed and deployed a number of HIPAA Compliant
solutions for startups: ConsejoSano, Aforacare, Contex, etc…

4. Introduction – HIPAA
▪ Health Insurance Portability and Accountability Act (HIPAA) of 1996 protects most
“identifiable health information’ held or transmitted by a covered entity or its
business associate, in any form or medium, whether electronic, on paper or oral.
The Privacy Rule calls this information Protected Health Information (PHI).
▪ PHI under US law is any info in a medical record that can be used to identify an
individual that was created in the course of providing a healthcare service, e.g.
diagnosis or treatment.

5. Introduction - HIPAA Components
▪ Security Policies
▪ Human Resource Security
▪ Physical and Environmental Security – Colocation or Cloud
▪ Communications and Operations Management
▪ Access Control – Password Management, Encrypted VPNs
▪ Incident Management – Customers notified of a hack, Documented processes
▪ Business Continuity Plan – DR, do you run your BCP?

6. Introduction - HIPAA Components
▪ IT Compliance
▪ System Development and Software Development Lifecycle that includes in a
security risk assessment: Scanning for application vulnerabilities, e.g. OWASP
top ten, using something like WhiteHat, source control management, three tiered
architecture with separate firewalls, data exchange
▪ Cloud Computing – IaaS, PaaS, SaaS
▪ Cloud Security Services – DDoS attacks prevention, Physical and logical
separation of data, encrypting data at rest and in transit
▪ Cloud Security Architecture

7. Compliance Before the Public Cloud
At MedVantage, before the public cloud, we built and operated a private cloud
infrastructure for the claims and episodes treatment groups data from Blue Cross
Blue Shield plans. This was a lot of work and cost a lot of $.
▪ Physical and Environmental Security
▪ Communication and Operation Management
▪ Access Control
▪ Incident Management – SSIM, Arcsight
▪ Security – DDoS and data loss prevention

8. Compliance During the Public Cloud
With the advent of the Public Cloud HIPAA solutions, we can now stand on top of these
vendors for Software Development by having them sign a Business Associate Agreement
(BAA)
▪ TrueVault
▪ Aptible
▪ ClearDATA
▪ Amazon Web Services
▪ FireHostArmor

9. Compliance During the Public Cloud (contd)
▪ Best to use a cloud solution that is focused on healthcare security. Solutions that
are not focused on security may be reluctant to provide the information that you
need, e.g. audit reports.
▪ Each of these vendors provide differing offers, but you’re effectively looking for a
way to not have to implement some of the onerous tasks associated with
protecting PHI and providing a secure private cloud platform.
▪ Only store the PHI in the the HIPAA compliant container. If you’re solution has
components that don’t need to touch PHI, run these components elsewhere with
communication going through SSL.

10. Compliance During the Public Cloud (contd)
▪ Things that I look for when picking a vendor:
▪ A Virtual Private Cloud (VPC) sitting on top of AWS
▪ Support for SFTP out of the box
▪ Database traffic is encrypted at transit and
▪ Ease of use
▪ Centralized Access Control system
▪ Automated Risk Management.

11. Compliance During the Public Cloud (contd)
▪ Remember HIPAA is More than Technology - Incidence Response, Risk
Assessment, Operations, Policies & Procedures, Security & Compliance Training
are all priorities. To help with these issues there are compliance cloud platforms,
which enable you to manage all of the audit reports to prepare for external audits
and certifications.
▪ QIXpress - QIPSolutions
▪ Gridiron – Aptible
▪ ClearData
▪ ZenGRC – Reciprocity Labs

12. Compliance During the Public Cloud (contd)
▪ These compliance platforms enable you to
▪ Generate sane, relevant security and compliance policies
▪ Train your workforce in security and secure coding practices
▪ Respond to security and privacy incidents
▪ Conduct internal audits and compliance status check for your BCP, vulnerability
assessment, patch management.
▪ Prepare for external audits and certifications

13. Software Development Practices
▪ Running Production, Test, and Development environments in a HIPAA secure
environment can be expensive and time consuming to maintain and deploy
▪ For development environments, leverage Heroku and AWS
▪ For test environments, continue on Heroku AWS
▪ For production environments, use the PHI containers and services.

14. Software Development Practices (contd)
For B2B solutions, data integration with your client for either eligibility files or EMRs needs to
be considered at the architecture stage. You do not want to build your data integration
solution as part of your web app or REST web service component.
▪ SFTP - Large data files are typically transferred via SFTP.
• Customer deposits file into your SFTP account. Decrypt the file using PGP. ETL the data
into your middleware with all communication going through HTTPS.
• You pull from Customer’s SFTP. This is the reverse. Client creates a name account for
you using your private key. Pull the eligibility data at specified interval. When the
download is complete, then the process is just like the FTP in.
• REST Web Services – Customer invokes REST Web Services to update data with all
traffic encrypted via SSL.

15. Software Development Practices (contd)
Third party integrations can be tough in terms of compliancy. You need to read the BAAs.
▪ Email – Most email providers are not HIPAA compliant, e.g. SendGrid. Certain email
providers are HIPAA compliant, e.g. MailGun. There is a cost associated with using
Mailgun
▪ SMS – Most SMS message providers are Not HIPAA compliant.
▪ PHI must be encrypted in transit, which makes this difficult
▪ Secure Messaging is compliant when the communication is going over TLS to a secure
machine, but this may not work when engaging with patients.
▪ Video Chat –OpenTok or Janus webRTC – AugMedix…

16. Operating a HIPAA Compliant Solution
When your production environment is locked down, everything will slow down when it comes
to
▪ Deploying new code
▪ Accessing the database to see what’s going on
▪ Monitoring the log files
▪ Bringing up machines that have crashed

17. Keeping Mobile Apps Compliant
• All network communication runs through SSL.
• Try to store as little PHI on the mobile device as possible
• When data is stored on the mobile device, PHI needs to be encrypted with AES-
256
• Try not to insert PHI into your push notifications.
• Make sure that your app is not a medical device that requires FDA approval

18. Thank You
Joel Garcia
joel@allcode.com
(415) 890-6431
564 Market Street, Suite 607
SF, CA, 94104