FileMaker, WordPress, and the Healthcare Medical Industry – HIPAA Compliance

Claris FileMaker has many solutions in the health and medical industry. Among others, LuminFire’s mobile healthcare TrackUS custom app was built using FileMaker and web technologies.

LuminFire specializes in assisting clients in the healthcare and related medical industries by rapidly building affordable custom applications and websites. Some of the most valuable tools in accomplishing this for clients include FileMaker and WordPress.

One vital component of our technology consulting with the organizations we work with is helping to ensure that we are properly following HIPAA (Health Insurance Portability and Accountability) regulations when architecting, developing and supporting their solutions. Our experience with projects we’ve successfully implemented in the healthcare and medical industry often identifies existing vulnerabilities in organizations that have the potential to be expensive mistakes. In some cases the risks include putting the company itself out of business if not attended to properly.

In the U.S. compliance with HIPAA regulations and ensuring that ePHI (Electronic Personal Health Information) is secure is mandatory for Covered Entities and their Business Associates (see “To Whom Does the Privacy Rule Apply and Whom Will It Affect?” for more information). Often, organizations do not take this seriously enough. In order to make this happen from a technology perspective, we must take advantage of all modern security options at our disposal such as EAR (Encryption at Rest), encrypting all data transmission with TLS (aka Secure Sockets Layer), audit logging, intrusion prevention, role based security, and various other security measures.

HIPAA Compliance and Your Organization

If you are a covered entity and do not have a BAA (Business Associates Agreement) with your current developer or they don’t even know what a BAA is then you are not compliant with HIPAA regulations. If you have built a solution on your own and are not aware of HIPAA guidelines or how to implement them we suggest that you give us a call to discuss it further.

All organizations that deal with any type of PHI need to make sure they are HIPAA compliant. Even Federally Qualified Health Centers (FQHCs), Community Health Centers (CHCs) and related entities that are non-profit organizations risk substantial fines. This also includes dentists, chiropractors, doctors, nurses, insurance agencies, therapists, etc.

Something as simple as a patient an name, address, or license plate can be considered PHI that needs to be protected. For example, let’s say you have a custom app that contains names of patients. Within that app you have a Google map displayed that shows the location of the home of this patient. You’ve likely violated HIPAA guidelines and released PHI by openly transmitting the patient name and address to the Google API in order to display that map. In addition, you’ve also broken the Google maps EULA (end user license agreement) by using the API internally without paying for it.  Our LuminFire GIS team can assist in creating a mapping solution that uses open source base maps and techniques that can provide this information to you without breaking HIPAA rules or violating Google’s licensing agreement.

What does it take to be compliant with the HIPAA Security Rule? A lot! Overall, the HIPAA security rule requires (1) confidentiality, (2) integrity, and (2) availability.

• Confidentiality must prevent unauthorized access including that by outside hackers or even employees accessing records of a celebrity or ex-spouse — or a patient record they should not be accessing.
• Integrity must prevent changing or destroying information or deleting/changing records in the EMR (Electronic Medical Record).
• Availability must ensure the system is still there after a system crash, backed up, and recoverable after a disaster.

The Security Rule has items that are required and items that are addressable. A medical practice should do the following regardless of whether they are required or addressable:

1. Write detailed Policies and Procedures that address each one of the below items.
2. Perform a Risk Assessment on systems that contain electronic protected health information (ePHI).
3. Implement the suggested security recommendations that are identified in the Risk Assessment.
4. Create a Sanction Policy that addresses what to do if someone is in violation of your Policies and Procedures.
5. Assign the Security Officer rule to an individual.
6. Develop a procedure to ensure that access to ePHI is only given to employees that need access to perform their job.
7. Make sure that employee access to ePHI is limited to the information needed to perform their job. (i.e. make sure they don’t have too much access)
8. Make sure employee access to ePHI is terminated when they no longer need access. This can be when they are terminated or when they switch to another job within the practice. Create an employee termination procedure.
9. Train your employees on the best practices to secure ePHI.
10. Issue security reminders to employees after the training. Items include best practices, malware alerts, security warnings, etc.
11. Implement anti-virus / anti-malware on all systems. Ensure that the anti-malware is automatically updated and kept current.
12. Implement a procedure to report, document and respond to security incidents that affect ePHI.
13. Implement a data backup procedure that ensures ePHI is properly backed up. This can be to a backup tape, off-site backup, etc. Ensure that your tape backups or off-site backups are encrypted.
14. Implement a disaster recovery plan to ensure access to ePHI in the event something happens to your systems. This includes a fire, flood, power outage, hardware crash, etc.
15. Implement a procedure to operate in an emergency mode if there is a disaster. Make sure you have a plan to use your disaster recovery plan and make sure you don’t lose ePHI during the disaster.
16. Implement a procedure to regularly review your HIPAA Security Policies and Procedures. During the review make appropriate changes to strengthen your protection of ePHI. At a minimum do this annually and definitely after your have a security incident.
17. Locate your systems that contain ePHI in a secure room. In other words, make sure your server room is locked and restrict access to it. This includes unauthorized employees, patients, visitors, maintenance workers, etc.
18. Keep track of all people that enter the server room including IT staff, maintenance workers, etc.
19. Create and distribute a Computer Use Policy that let’s employees know what is acceptable use of the practice’s computers. This addresses email, restricted websites, posting information on social networks, conducting illegal activity, etc.
20. Implement procedures that ensure that all servers, desktops, laptops and mobile devices are secure. This includes applying security patches, vendor updates, etc.
21. Implement procedures to protect ePHI stored on portable devices. This includes smartphones, laptops, USB drives, tape backups, etc. MAKE SURE YOU ENCRYPT ALL OF THESE DEVICES.
22. Implement procedures to ensure you delete all ePHI on devices when you are discarding, recycling, donating, returning them. This includes laptops, desktops, servers, smartphones, USB drives, copy machines, x-ray machines, tape backups, etc. NOTE: Deleting the information is not enough. Use special software that ensures the data is permanently deleted and cannot be restored.
23. Implement procedures to track portable devices that that contain ePHI. Track them so you know where they are, who has them and if they are lost or stolen.
24. Ensure that each employee that accesses ePHI is assigned a unique username and password.
25. Ensure that employees do not share usernames and passwords.
26. Ensure that passwords are complex and not easily guessed. (i.e. minimum of 8 characters, preferably longer, lower and upper case letters, numbers and special symbols – e.g. MsMi1@yo). Remember, longer passphrases are more secure than just adding symbols and are often easier to remember (e.g. “Correct horse battery staple!” is stronger than “MsMi1@yo”). Check your password strength with a Password Meter and consider adding one to any solution you develop.
27. Implement a procedure that forces employees to change their passwords on a regular basis (i.e. every 90 days) and not reuse their previous 2-3 passwords.
28. Implement a procedure that locks a user account after a certain number of failed password attempts (i.e. a user account will be locked and must be reset by an administrator if the account is accessed with an incorrect password 5 times).
29. Develop a procedure that in the event of an emergency, there is a way to access systems with ePHI to provide patient treatment. In other words, make sure that the lack of knowing certain passwords does not affect patient treatment.
30. Implement a procedure that locks workstation screens after a predetermined time (i.e. after 15 minutes of inactivity, a workstation automatically locks and can not be accessed. This is applicable if an employee walks away from their desk). Consider privacy screen protectors to avoid sideways snooping.
31. Implement a procedure that automatically logs people off of systems that contain ePHI after a predetermined time. (see above).
32. Ensure that all systems that contain ePHI are located securely behind a properly secured firewall.
33. Ensure that any remote access solution is secure and encrypted.
34. Ensure that any wireless access to the network is secure and encrypted and that ePHI is not transmitted on a network shared with non ePHI.
35. Implement procedures that ensure all systems with ePHI have auditing turned on (i.e. record the username, date, time, action, etc when accessing ePHI. This is more than system log files). Make sure your employees know that all actions involving ePHI are recorded and logged and will be reviewed.
36. Implement procedures to review all system log files on a regular basis. You are looking for events or notifications that there has been an attempt or an actual breach of ePHI.
37. Make sure all smartphones have startup passwords and are encrypted.
38. Implement procedures that ensure all email that contains ePHI are encrypted or that emails contain a link to view the PHI behind a login.
39. Implement procedures so that all laptops are encrypted. Implement full disk laptop encryption.
40. Implement procedures that ensure any transmission of ePHI is encrypted. That includes email, FTP, etc.
41. Ensure that all Business Associates (BA) sign a BAA. Ensure that vendors understand their role in protecting ePHI.

There are a lot of steps needed to be compliant with the HIPAA Security Rule. Compliance is also an ongoing process. You can implement some of the steps as you work towards compliance with the ultimate goal of implementing all of them. Doing so will protect your organization from costly mistakes.

LuminFire can help to set up HIPAA training that will assist in identifying potential gaps in compliance or to assist in building a custom app that will make your organization more effective, productive, and profitable.

Tim Cimbura – CEO and Software Engineer

Tim is an expert in creating custom business solutions that make businesses more effective, productive, and profitable. He specializes in rapid application development with the Claris platform including FileMaker and WordPress. He also knows Apple macOS technology inside and out.