News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Understanding HIPAA's security rule for telemedicine apps Related reading: Why the new HIPAA telehealth announcement is a welcome move

rss_feed

""

The rapid growth in telehealth has predictably spawned the development of a variety of new software solutions to serve the needs of both doctors and patients. While the field is wide open for application developers, the area of telemedicine also presents some unique data privacy and security challenges. Of course, the principles of privacy by design tell us that data privacy concerns should be integrated into the entire design process, but this imperative becomes all the more important and challenging when the app in development will be handling users’ personal information.

The U.S. Health Insurance Portability and Accountability Act imposes unique data security standards on telehealth app developers. In March, the Department of Health and Human Services temporarily suspended enforcement for noncompliance with HIPAA rules in connection with the good-faith use of telehealth services during the pandemic.

This temporary suspension should not lead telehealth app developers into a false sense of complacency regarding HIPAA’s strict security requirements. Any telehealth-specific app must comply with the HIPAA Security Rule if it is to have any meaningful market success.

Further, reduced risk of enforcement should not lead to lax security practices. The threat of bad actors exploiting weak or immature security controls to access or exfiltrate personal information, intellectual property, such as source code, or other sensitive information is ever-present. Telehealth app developers should implement best practices for security when designing and improving their apps, especially as the apps continue to iterate and new features are added.

Business associate agreements

As an initial matter, any telemedicine or telehealth app facilitating the transfer of protected health information between health care providers and patients will need to enter into a business associate agreement with the health care provider. HIPAA requires health care providers to enter into a BAA with any vendor that transmits or maintains electronically protected health information on its behalf to ensure the vendor is properly safeguarding the ePHI. Through the BAA, the vendor represents that its services will comply with HIPAA’s Privacy, Security, Breach Notification and Enforcement Rules as applicable to the services being provided.  

HIPAA’s Security Rule

HIPAA’s Security Rule sets standards for administrative, physical, technical and organizational safeguards to secure protected health information. The technical safeguards specifically identify policies and procedures for protecting ePHI and controlling access to it and fall into the following categories: access control, audit controls, data integrity, authentication and transmission security. 

Access control

HIPAA requires the implementation of policies and procedures to ensure that only authorized persons and software programs access the ePHI. The Security Rule does not specify any particular technical controls for meeting this standard; however, it does set forth two required implementation specifications that an app developer must meet and two more that should be implemented when reasonable and appropriate. In the context of app development, all four specifications should be implemented.

Unique user ID

Each user of the app should be assigned a globally unique identifier, which can be a username, number or random string of characters. Using this GUID, the system should be able to attribute and protect access to app-related data for end users (patients and health care providers), as well as employees or vendors. GUIDs as a method of identification, however, should not be conflated with authentication, which is detailed further below. Systems should require more than just a GUID to provide access, as they may be publicly available or easily ascertained.

Emergency access procedures

Generally speaking, the Security Rule requires that the system establish and implement as needed a procedure for obtaining necessary ePHI in an emergency situation.

Automatic logoff

The app must also implement electronic procedures that terminate authenticated sessions after a predetermined time of inactivity. An automatic logoff system reduces the risk that unauthorized users will gain access to the system and related ePHI. Although it can create a bit of a speed bump in the user experience, telehealth app developers should seek to shorten the inactivity period that triggers the automatic logoff, particularly for web apps.

Encryption and decryption

Where feasible, encryption should be used to protect ePHI from unauthorized access either by individuals or other software programs. Using standard protocols like HTTP with TLS protects data in transit, and modern encryption schemes, like advanced encryption standard and authenticated encryption, protect data at rest.

Audit controls

Technical means must be implemented for recording and examining activity on the system. Audit controls also typically include the ability to generate an audit report. Such capabilities are particularly important for gathering system information in the event of a security violation. The Security Rule does not specify what data must be gathered by the audit controls. Consequently, app developers should consider what data is collected, how the system is used and what kind of security breaches are more likely when designing the audit controls. Importantly, app developers should also be mindful of the ways in which audit controls can, if not well designed, introduce additional security risks.

In addition to audit controls, app developers should ensure they have implemented monitoring and alerting on the app’s underlying infrastructure to identify any anomalous behavior. The first step to understanding events that occur on application infrastructure is to collect them in a centralized location. Having a security incident and event management system allows companies to collect disparate log sources, potentially from multi-cloud environments, in a central location.

Once log collection has been configured, conducting research over time into baseline activities will help determine which events truly reflect something of concern. That being said, alerting and monitoring is only as helpful as those observing the data generated by these systems, as they are never fully autonomous.

Integrity

The app must have mechanisms in place to protect ePHI from improper alteration or destruction. Here too, a developer must consider how the ePHI is used on the platform and determine where the risk of alteration or destruction of ePHI might exist. Once those areas are identified, security measures must be implemented to reduce those risks.

Alerting and monitoring can also help preserve data integrity. At a minimum, the app should have some technical means for detecting changes to ePHI data. More sophisticated telehealth app developers will leverage privileged access management as an additional layer of security that protects ePHI integrity. PAM restricts access to administrator accounts or accounts that have broad rights to sensitive data to a select few individuals for a limited period of time.

Person or entity authentication

The Security Rule requires, where feasible, the system have a means of verifying the identity of the user, though the standard does not describe any implementation specifications. The use of passwords, PINs, tokens or biometrics are various technical means of meeting this requirement.

Due to the sensitive nature of ePHI that telehealth apps can store or exchange, any telehealth app should integrate a strong authentication workflow. Authentication is the process by which a user proves its identity to the app or its supporting infrastructure. Most apps rely on a combination of username and password, but those are often reused and/or simplistic. This leads to an increased risk of compromised authentication credentials.

Telehealth app developers should consider implementing multifactor authentication for both end users and employees or vendors. Other factors beyond username and password (something you know) could include app-based or text message codes (something you have) or biometric data, like fingerprints (something you are). This provides an extra layer of security protection that can mitigate the risk of a wide variety of types of attacks. MFA has experienced widespread use in other sectors, such as the financial sector, and telehealth apps should consider following suit.

Transmission security

The final standard is transmission security. App developers should consider the communication channels being used for transmitted ePHI and implement appropriate means of securing the transmission. In the current app ecosystem, both web and mobile apps that rely on server-based infrastructure require public-facing application programming interfaces to make the app’s data available.

APIs are what enable apps to leverage or share data with third parties, such as when a user connects a social media account to an app to access photos or other data from a social media profile. Misconfigured or improperly-secured APIs have been the source of many breaches and require rigorous testing and auditing.

There are two implementation specifications for this standard.

Integrity control

Similar to the integrity standard, safeguards must be put in place to ensure that electronically transmitted ePHI is not improperly modified without detection. Cryptographically signing messages can help to detect modification of data.

Encryption

Similar to the access control standard, encryption technology must be utilized as appropriate to protect transmitted ePHI from unauthorized access by individuals or software programs. The Security Rule does not specify the use of any particular encryption standard. Rather, a developer should choose an encryption solution that appropriately addresses the security threat level presented by the transmission system being utilized.

Designing telehealth apps poses a number of unique challenges to developers, and the requirements of HIPAA’s Security Rule is chief among them. Determining the best technical means for complying with HIPAA’s standards requires judgment and expertise, as each application will demand a different set of solutions tailored to the app’s uses and functionality. Inadequate or lax app design can result in poor app adoption and significant legal exposure. Consulting with the right legal and data security professionals as part of the development process ensures these critical issues are identified and addressed.

Photo by National Cancer Institute on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Authors
Headshot Heidi Wachs, CIPP/US IAPP Member Contributor
Headshot Jeffrey Atteberry Nonmember Contributor
Headshot Noah Rubin Nonmember Contributor
Tags
Health Care
U.S.
Infosecurity
Privacy-Enhancing Technology
Comments

If you want to comment on this post, you need to login.

Related Stories
The pandemic and the evolution of health care privacy
When I teach privacy law, I try to make the issues real for the students. It often isn’t that hard — privacy issues remain in the news almost every day. The evolution of the pandemic has made more of these issues real and is leading to a series of critical questions for the future of health care pri...
Read More queue Save This
Related Stories
Tags
Health Care
U.S.
Infosecurity
Privacy-Enhancing Technology
Recent Comments