Architecting Your Healthcare Application for HIPAA Compliance,Part 1

18 — the number of reported breaches so far this year in the health care and medical provider industry

10.5 million — the number of people who had data compromised in just the last breach alone.

The healthcare landscape of the United States is rapidly changing. We are at a crossroads in the medical IT industry today where the legacy (often meaning paper) systems of the past are making it very hard to properly secure patient data.

Due to new regulation and patient demand, startups such as Syapse and Flatiron Health have begun to leverage the AWS cloud to develop new technologies that are not only changing the way in which our healthcare is delivered but are also raising the bar for keeping patient data safe.

Syapse is driving the transformation of healthcare through precision medicine, enabling healthcare providers to streamline operations and improve clinical outcomes. Leading healthcare systems are now using Syapse Precision Medicine Platform to integrate complex clinical and genomic data, and deliver actionable insights at the point of care.

Of course, all this must be done within the highly regulated environment of HIPAA. “Most of what HIPAA prescribes is good business practice for handling any customer data. In today’s environment, there is more focus than ever on patient data security, and our customers need to know that we have a rock solid security program,” says Tony Loeser, Syapse CTO and co-founder. “AWS’s commitment to security-oriented services and responsive, expert support give us confidence to build on their platform.”

Flatiron Health is a company that specializes in data analytics and workflow tools that dramatically improve the treatment of cancer patients and accelerate research. According to Alex Lo, engineering manager at Flatiron, “AWS is a reliable service provider that provides us great tools for managing and processing large amounts of patient data, in a HIPAA-compliant way. S3 with Server Side and TLS encryption meets all our document and image storage requirements. Encrypted EBS gives us great performance and security for our processing nodes. We also utilize its powerful audit capabilities.”

This blog will walk an interested startup through the background on healthcare today, the current regulated environment and where inventive startups may find opportunity to build on the compliance features offered by the AWS infrastructure and achieve success in the health technology space as Flatiron Health and Syapse have.

A Primer

As somewhat recent transplants to Seattle from New York City, my wife and I have started the process of transferring our healthcare to new providers. This means a LOT of filling out paper forms. Just a few years ago, the CDC reported that only 4.4 percent of physicians had a fully functional electronic medical record system.

Even at premier medical centers in the United States, the following picture seems to represent the pinnacle of data collection technology in healthcare.

Let’s see, when was my last tetanus shot? Probably less than 10 years ago? Sure, why not. When was that surgical procedure? 2003. No wait, 2005? Medications? How do you spell that drug again? Eh, close enough.

Okay, I guess I can get the records I need from NYC. All I need to do is submit requests at each one of my medical providers and…who were all of my doctors again? Assuming I am the average patient, my records are stored in about 19 locations. Oh, and it looks like my dermatologist retired. And of course once I do request the records, the API of the healthcare world is still the FAX machine, so all the handwritten notes scribbled by my physicians over the years will be rescanned and sent for additional [mis]interpretation, and, not to mention, additional fees per page. Perhaps this reliance on patient memory and struggle to obtain records is a contributing factor to why there were more than a million patient safety incidents caused by medical errors between 2000 through 2002.

Maybe this was the best we could do back in 1996 when HIPAA was developed, but this was a time when phones had wires, film was dropped off to be developed, the quickest way to contact someone was to page them, and connecting to the Internet involved an AOL CD-ROM accompanied by a strange crackling sound. However, in today’s fast-paced information age companies like Amazon have redefined a new normal. I can now ask my Amazon Echo to tell me the world’s news, I’ve replaced my trip to Blockbuster with Prime Instant videos, my Amazon Kindle holds more books than my local library did, provisioning a server now means a green light on the Amazon Web Services web page, and I’ve even fully automated the delivery of my groceries. It should be less than a shock to anyone who is paying attention that the IT systems of the healthcare industry are ready for an overhaul, and AWS might just be the company that can enable this change.

How did healthcare records get so left behind in the march toward digitalization? Much of it has to do with the fact that the understanding of human ailments and diseases is not a business process that can be easily automated. Many measurements used in practice are correlative measures obtained in very uncertain situations that require deep reasoning abilities to properly decide on a course of treatment. A lack of the latest IT capabilities does not necessarily exclude one from being a great doctor, nurse, or even scientist.

As computerized systems did make their way to healthcare providers, too often the goal was focused on billing capabilities instead of clinical care improvement. Even with electronic medical records, it was still the paper records that were consistently seen as the gold standard.

This led to the unfortunate environment where caregivers see the IT infrastructure as an unwanted intermediary between patient care and the patient. As a result of this contentious relationship, all too often the mark of a successful IT department in healthcare is simply providing the minimum essentials with the utmost stability as opposed to offering real technical improvements to the healthcare process. Of course, to quote Aldous Huxley, “stability isn’t nearly so spectacular as instability.” Healthcare technology needs to move past maintaining the status quo, and this blog can serve as a starting point for understanding a basic AWS HIPAA eligible architecture, which can be used by startups that want to take healthcare into a brave new world.

Regulated Industry

The Health Insurance Portability and Accountability Act (HIPAA) that was passed by Congress in 1996 was one of the first major regulations that enabled the healthcare industry to move towards digitalization of healthcare records. Among other items, this act provided industry-wide standards for health care information on electronic billing. There were also additional regulations in this act, which made entities legally responsible for protecting this data and gave the patient rights associated with their own information. These safety controls are broken out into two subcategories of HIPAA:

1. Privacy Rule — deals with the individual identifiable patient information and provides guidance on protections, disclosures, and patient rights.
2. Security Rule — deals with the administrative, physical, and technical safeguards

Additional elaboration about each of these can be found on the HHS site.

Of course, as often is the case with healthcare legislation, there were some unintended consequences of all these HIPAA safeguards. Developers with great ideas for new and innovative ways to approach patient healthcare might quickly shy away from tackling the problem for fear of the heavy regulations and privacy compliance laws.

Repercussions from data hacks, such as the ones made infamous by Premera, the UCLA health system and many others, caution startups from venturing into the field. Innovation seems to be thwarted simply by mention of the dreaded “HIPAA” regulation.

In the healthcare industry, electronic systems that store, process, or transmit patient data need to be given extra attention. Healthcare providers should do everything they can to protect the privacy of the patient and ensure that the systems they architect to handle Protected Health Information (PHI) follow the guidelines set forth under HIPAA and HITECH regulations.. Your medical information is worth 10 times more than your credit card information on the black market. Unlike a credit card number, which has a fleeting availability for use, medical records data that is sold includes names, birth dates, social security numbers, policy numbers, and diagnosis codes, and cannot simply be canceled. This data can be repeatedly used to create fake IDs to buy medical equipment, purchase drugs, or file false claims.

I won’t be presumptuous and say that maintaining HIPAA/HITECH compliance is an easy thing to do or that AWS offers a one-size fits all solution. Maintaining proper security and compliance of your data requires ongoing diligence by all parties involved. There are many aspects of HIPAA that fall under the responsibility of the healthcare provider such as breach notification, risk analysis, limiting uses, and many other controls that are necessary to keep patient data safe.

However, companies that choose to build on AWS are at a major advantage when it comes to patient data security. According to security experts, “cyber criminals are increasingly targeting the $3 trillion U.S. healthcare industry, which has many companies still reliant on aging computer systems that do not use the latest security features.” AWS offers leading-edge security features that are designed to eliminate much of the undifferentiated heavy lifting necessary for maintaining HIPAA compliance and make storing and accessing PHI data less risky.

The Times They are A-changin’

HIPAA was not the last legislative attempt to move healthcare into the digital age. As part of the American Recovery and Reinvestment Act of 2009 (aka: the federal stimulus package), the Health Information Technology for Economic and Clinical Health (HITECH) Act was passed, which allocated 19.2 billion dollars of funding to increase the use of Electronic Health Records by physicians and hospitals. The HITECH Act outlined plans for this adoption through three stages of what is called “meaningful use.” The stages are the following:

1. Data capturing and sharing
2. Advanced clinical processes
3. Improved outcomes

The first two stages are underway now, and the third stage coming in 2017 (although still not finalized) is designed with eight proposed objectives, some of which are going to make for very interesting technology challenges. Clinical decision support, providing patients electronic access to their information, and home health reporting are just a few examples of areas where a nimble startup could come and find their niche among the major healthcare IT vendors.

The HITECH Act is not the sole legislative driver of improved IT in healthcare. The Patient Protection and Affordable Care Act (ACA) of 2010 (aka Obamacare) has also played a role in pushing quality measures through programs such as Physician Compare and Hospital Compare.

This new law has opened the doors for large medical records companies such as Epic to introduce frameworks for interoperability that can provide clinicians access to the patient data needed for proper care. Epic achieves this through the exchange of standardized Continuity of Care Documents. This standardization of the medical record makes it possible for startups to now build on to the existing features of the EMR system without needing to duplicate existing functionality.

We have already started to see many AWS startups making real progress in both patient care and patient health. These companies have leveraged AWS to build highly secure, HIPAA eligible systems that have been paying off both for patients and the companies’ financial success.

Make Your Web Application HIPAA Eligible

As a first step to understanding HIPAA compliance, it is recommended that you take a look at the Architecting for HIPAA Security and Compliance whitepaper. You might also want to review the AWS HIPAA Compliance FAQs for additional details on topics like the Business Associate Agreement (BAA) that AWS offers as well as which services can be used for storing and processing PHI. There is also a video from last year’s AWS re:Invent conference on Architecting for HIPAA Compliance on AWS that is worth a look. Be on the lookout for an upcoming 2015 update to this video.

AWS provides multiple services to deploy a highly available, scalable, secure application stack, which can serve a limitless variety of healthcare applications and use cases. In our next blog, we will embark on our journey into HIPAA-eligible architectures by providing an example HIPAA architecture, which can be adopted as a starting point for building a HIPAA-eligible, web-facing application.

Christopher Crosbie MPH, MS
Healthcare and Life Science Solutions Architect