8 Tips to Building Product in a HIPAA world
Designing and building software products for HIPAA is an exciting challenge that also requires some thoughtfulness around PII compliance and HIPAA. Personally identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII. Pretty broad eh?
HIPAA is defined as Health Insurance Portability and Accountability Act of 1996 is United States legislation that provides data privacy and security provisions for safeguarding medical information.
Now that we have these definitions out of the way, how is it possible to build great products in a HIPAA world? PII and HIPAA acting as our guidelines it throws in another variable to complicate the product design, and build process. Here are some tips to help.
1. Customers Want To Know
Your users and customers want to know before you launch whether or not your product is HIPAA compliant.
With every product our team has launched the question comes up “Is it HIPAA compliant?” Marketing this and stamping it with the HIPAA stamp of approval helps to ease doubts and makes adoption easier.
So before anything gets released make sure that it is compliant, why it is, and how it is, your users will want to know.
Encryption? PII compliant? These words are thrown out frequently even when users may or may not know what they mean. Help define this for them so that you are protecting yourself, your customers, and your customers’ customers. Being informed is important.
2. HIPAA Compliance Means Different Things in Different Contexts
The status of a software application’s HIPAA compliance depends on the context in which it is used to deliver services to patients.
Software applications can be intended to be used one way, but can often fail to maintain HIPAA-compliance if used improperly within a clinical setting.
There are important non-functional features required to deliver a HIPAA compliant user experience, consider all the use cases, and how users will really use it.
3. Location Location Location
Where will your product be used? located? is it patient facing? All these questions must be asked and answered when designing and building a new product.
Many of our products live in operatories inside of dental practices and can be susceptible to wandering eyes. Building in functions to handle this type of scenario should always be considered.
Strong passwords, and Auto log-off are a few basic features that should be considered and is covered in tip #6.
4. Starting with the End
Something that’s helped keep the user experience on track is starting with the five-star experience end goal, and working backwards, filling the HIPAA holes helps to build a better experience.
Starting with the end, helps keep an outcome based mindset. A more in-depth look at this concept can be found here. Written by my colleague and fellow PM Robison Rogers.
However, I believe there is a dichotomy that exists when doing this because some basic compliance needs have to be addressed in the beginning, so use your own discretion when defining outcomes.
Having had to do this process (on accident), it really helped keep a good user experience and not losing focus on who we were building it for and why. There were some small complications and exceptions that had to be made but overall our product came out with a great end result.
5. “HIPAA Compliant” is not a Negative
In the same product design as the product above, I was really bummed out that we had to significantly change a product scope to solve for a HIPAA compliance issue. At first, I was disappointed, but then I realized that our users are really concerned about being HIPAA compliant and being able to guarantee them 100% that it is, was not only protecting us but our users and their patients. They would appreciate the fact that we took the extra steps to assure solid HIPAA practices to protect them. Use this.
Marketing your product early on as HIPAA compliant helps users and potential users know that you have their best interest in mind. Gaining adoption and reducing the amount of support inquiries asking questions about a product being compliant helps reduce friction with your product support. Be clear on what makes it HIPAA compliant.
6. Secure by Default
There are some defaults that should be put into place. Some of these are
- Role-based access
- Audit all data access
- Unique user identification
- Auto log-off
These basic features should be default no matter what.
7. User Permissions
This is always something that comes up. Many health-related businesses want to regulate who can access what. What does that look like? what falls within the threshold of admin privileges? or something else? This is where user discovery comes in huge.
Getting your prototype in front of users and asking the right questions will help you decipher what permissions need to manage what.
Consider the question who are we building this for? Front office staff? Office managers? This will help guide those decisions on what access levels need to be considered.
8. Hire a Consultant
No, this doesn’t have to be a an actual consultant, but get someone who has an intimate knowledge of HIPAA and PII compliance that can poke holes in each idea, feature, and function, before anything is built!
Getting a trained set of eyes on potential scenarios that would fall outside the guidelines of HIPAA can reduce the impact of having to rebuild a feature.
Practicing this will help eliminate the frustrations of months of work down the drain by getting a second opinion. HIPAA compliance can be at times hard to navigate so play it safe, get an extra set of eyes on your plans so you don’t find out later that it isn’t compliant.
Conclusion
Beyond a great product and great product design is the essential investment into compliance for long-term product or service success. It’s necessary for adoption and user satisfaction to have the proper compliance when building and releasing new products.
Understanding and using these tips to build HIPAA compliant solutions, allows business leaders to meet their customer’s expectations and remain competitive in this fast-moving marketplace.
