How to Win at HIPAA Compliance Testing for Healthcare Apps


By Inga Shugalo
Healthcare Industry Analyst at Itransition

It’s official: healthcare has entered the mobile era. In its recent report, Grand View Research promised the global mHealth market hitting $111.8 billion by 2025, growing at the whopping 44.2% CAGR. While vendors are indeed racing towards creating efficient and robust solutions, it would be way too easy to build an app and send it flying across clinical settings and patient homes, wouldn’t it?

Thankfully, the HIPAA rule stands on the way of mHealth apps overflow, obliging the solutions to secure data and guarding the market against the wave of fraudulent and straight-out harmful applications. Wanting to reach out to providers or patients, developers have to guarantee that their solutions conform to HIPAA, testing anything from women cycle trackers and symptom checkers to mobile EHR versions and clinical decision support apps.

Since verifying data protection in mobile healthcare can be challenging and tied to details, we came up with basic guidelines for complex app testing in HIPAA compliance.

HIPAA run-down

The Health Insurance Portability and Accountability Act is sacred to conform with for software manipulating PHI or protected health information, e.g., storing, recording or passing. It includes four basic rules to follow:

  1. HIPAA Privacy Rule

This rule stipulates the prerequisites for PHI accessing, correcting, storing, using and sharing.  

  1. Security Rule

The security rule encompasses the safeguards for protecting the health information within the full cycle of handling it – from creation to maintenance. It also outlines the prerequisites to guarantee PHI security, coherence, and privacy.

  1. Enforcement Rule

This rule explains the corrective actions initiated if PHI safety or confidentiality will be compromised due to its wrongful use or disclosure. HIPAA violation penalties can make up from $100 to $50K for one breach or for a specific record, rising up to a maximum fine of $1.5M per year for one violation.

Compared to 2017’s major settlements with more than $19M in payments, 2018 lags behind with HIPAA fines accounting for the $7.9M total. While it is too early to make judgments, we hope that this year’s aggregate settlements will confirm the increasing data security trends and won’t exceed previous violations.

  1. Breach Notification Rule

This rule highlights when and how healthcare organizations or other HIPAA-covered entity should notify anyone involved, including care consumers, other organizations, and media, of occurred breaches.

Check yourself: HIPAA compliance to-do

If you want to know whether your next app is safe and secure for sure, better make friends with the following HIPAA sections:

Administrative Safeguards

This section defines the approach to employees who will access or manage PHI. In particular, it states such conditions for HIPAA conformance as setting up NDAs, undergoing risk assessments, and conducting staff training on HIPAA.

Technical Safeguards

Here lie the explanations on proper PHI handling approaches, with some of them required and others only advisable. The technical safeguards section outlines the prerequisites for:

  • Access control (user login, logoff, authentication)
  • Information transmission safety
  • Audit logs
Physical Safeguards

Physical safeguards usually concern hosting companies rather than vendors, describing the rules for workstation security, server access, device and media controls, and more.

HIPAA compliance testing: 101

Now when we grasped the essence of guidelines provided by HIPAA regulation, it will be easier to extract particular areas for compliance testing. Since specific testing strategies usually depend on the app’s requirements, we will look at more general concepts fitting most healthcare applications out there.

We offer to especially focus on the following elements:

  • Creating a role matrix
  • Authorization and authentication
  • Information transmission
  • Role matrix

Apps for care consumers and health specialists usually allow role-based multi-level access to patient information. It is necessary for QA specialists to define all possible roles before the actual testing. These roles will be associated with distinct risk levels calculated from chances on information leak, expected frequency of the app use and chances of making errors within the app as well as consequences of these errors depending on particular features involved.

Pro tip: Tracking defects

Improve your skills in the bug-tracking system by marking the titles of HIPAA-related defects with the according prefixes, e.g. “HIPAA.Defect.1.2.System.Access”. Moreover, tag any of them that impose higher risks to data security and integrity with a “Critical” status.

  1. User authorization and authentication

When testing authorization and authentication, you make sure different user roles can successfully enter and log into the app. Depending on their access level, some users will be able to create, add, delete or modify information in particular app parts. Others won’t be that privileged.

Also, check both alternative and exception paths, including the inability to log in, wrong password, forgotten password or entering the app after changing a password, etc. The more options, the better.

Let’s also not forget that the user can enter the app in many ways: via biometric data (fingerprint, retina scan, face scan, voice scan, etc.), ID card, user ID and password, and more. This can significantly affect the number and complexity of authentication cases.

  1. Information transmission

Try out different network analyzers (e.g., Zenoss Core and Fluentd) to find out if PHI stays encrypted across specific information transmission activities, such as:

  • Information transition to an offline database or storage
  • Information transfer to online storages or other external locations
  • Information access across the data storages, PACS, printers, in-facility workstations and all devices with the installed app

If your app offers the functionality for sending and receiving e-prescriptions, claims, post-discharge notes, ADT charts and more, QA specialists need to check whether the corresponding EDI X12 formats will be used in such cases.

Pro tip: Creating test data

Beware of testing information transfer, access control, push notifications, or other HIPAA-critical items using real-world PHI. Replace it with test data to achieve consistency in security measures and avoid any possible data leaks during the test sessions.

HIPAA-compliant and good to go

While HIPAA may seem too sophisticated to keep up with at first, the trick of the trade is just to pull out specific sections of the Act and gradually work through each one. While a lot of QA activities will be based on software requirements documentation, keep in mind user authorization intricacies and information transmission cases to build your HIPAA conformance testing logic up from that. Let your new healthcare app be safe and make clinical stakeholders and patients happy.