Alpha Software Blog



Building HIPAA Compliant Web & Mobile Apps Rapidly With Alpha Anywhere


 
One of the trends we have noticed as we survey our customers is the increasing use of
Alpha Anywhere by developers for building;
-- Secure HIPAA compliant web and offline-capable mobile applications for healthcare and
-- Secure PCI compliant financial apps and other apps where security is of paramount importance
In this blog we will focus on HIPAA applications but the same principles apply to PCI and others security sensitive apps

HIPAA CompliantWhen building HIPAA applications it is essential to make sure that the applications follow HIPAA security rules. In the USA,  HIPAA compliance is the protocol designed to protect the privacy of individual health records. Similar rules exist in other countries as well.

While some of the HIPAA privacy rules are fairly straightforward, a number of them are open to interpretation, making the development of a HIPAA compliant application a tricky task. Fortunately, Alpha Anywhere has been designed with all the tools needed to protect sensitive data and meet the demands of key HIPAA requirements.

Below, Alpha developer Jerry Brightbill, who has had extensive experience building HIPAA compliant healthcare applications, including a large system currently in use by over 40 large hospitals in the US, explains some of the most important requirements to think about
when developing a HIPAA compliant application or mhealth app:

 

Building HIPAA Compliant Web Applications

by Jerry Brightbill, Alpha Software.

Building a HIPAA compliant application is somewhat challenging as the requirements cover many aspects of the design and implementation. Every security consultant will evaluate the requirements slightly differently and give slightly different recommendations.

However, there are generally accepted requirements for handling PHI (Patient Health Information) to achieve HIPAA compliance.

The good news is Alpha Anywhere was designed to have all options and tools needed to allow developers to build HIPAA Compliant health care applications

 

Data encryption in applications

Most developers of browser-based applications have moved toward SQL based databases such as MS SQL Server. Those systems offer a number of encryption options.

One we are very familiar with is MS SQL Server TDE - Transparent Data Encryption - , which is very good and has been evaluated and accepted by government agencies. The same applies to Oracle databases which also offer TDE. Alpha Anywhere supports a wide range of SQL databases.

 

Tracking edits, and viewing of data in applications

Alpha Anywhere web components offer a wide array of options to record data every time a user requests a view or makes an edit. We do this with "events" where some code can be added to save data into log tables.

If you are using a SQL based data system, most SQL databases provide programming options such as triggers where the back end database can manage adding data to the view and edit logs. This is often selected as more secure as it is independent of the user interface.

 

Access security in applications

Alpha Anywhere has full security measures to prevent unauthorized access to any data. The system has features to track all login and logout activity. Access to specific forms, reports, and data can be regulated with the built in security.

In addition, our web server system supports SSL encryption and offers protection against common security threats such as SQL injection.

HIPAA regulations also require segregating data to limit access to only users who have the authority to see that sensitive data. In simple systems, this is often not a concern as anyone who has access to the system can see any data in the system. In a more complex system, users may be limited to accesses only limited data. Alpha Anywhere offers a wide range of filtering options to limit user access in HIPAA compliant applications.

 

Industry evaluations of the issues surrounding HIPAA compliance in applications

Below are links to a few documents that are very useful for navigating HIPAA requirements. Put together by the American Medical Association, the Department of Health and Human Services, and Information Week, these documents answer many of the questions that may arise when developing for HIPAA compliance.

 

Example of a HIPAA compliant application built with Alpha Anywhere in use in over 40 hospitals

Some videos from the system that Jerry has built are shown here (Note: this is not real patient data in the screen shots and video):

Some of the Alpha Anywhere tools and methods developers are using to build HIPAA compliant apps: 

  1. Use SSL certificates for data "in-transit"
  2. Take advantage of Alpha Anywhere's two-factor authentication.
  3. Let Alpha Anywhere encrypt connection strings.
  4. Design "group security" (built into Alpha Anywhere) from the ground up vs adding it after the app is built.
  5. Design database tables with security in mind. For example, developers  may want to bifurcate  PHI (Protected Health Information) into separate tables.
  6. Take advantage of Alpha Anywhere’s column encryption. (You don’t need to encrypt the entire database.)  However, it’s not just about encrypting client names, address, date of birth, social security number, and credit card numbers.  You have to analyze all the columns and make sure that a hacker can’t glean PHI from text fields or other types of HTML columns or reports. 
  7. If you are using IIS security, you can also use client-side roles with JavaScript to also limit screens and let users know they don’t have security before it locks them out. 
  8. Alpha Anywhere also makes it easy to have column-based security or screen security.
  9. Stored-procedures and views will also provide excellent security. For example, reports that need to be sent to Medicare need to be HIPAA compliant. There is an option to show the MRN (Medical Record Number) instead of PHI (Protected Health Information). View can handles this requirement so, when the data comes back from the SQL database it shows the MRN instead of the PHI.
  10.  Create a security checklist that users of the app must follow because security is more than just the application but also the way people use the applications.  Have a shredder for all your paper. Make sure your email and texting are encrypted. 
    Alpha makes it very easy to use the Office 365 encryption within your application.
  11. Consider using Alpha Cloud because of all the security that AWS offers that Alpha Cloud leverages and builds on

 

Learn more about building HIPAA compliant applications for hospitals, insurance companies and health plans in Alpha Anywhere by emailing marketing@alphasoftware.com

Prev Post Image
Top Tips for Reopening Safely and the Role Of Wellness Apps
Next Post Image
A Paperless Office Is the Key to Reopening Safely

About Author

Default Author Image
Jerry Brightbill

Related Posts
Digital Transformation is Tough, but Worth It
Digital Transformation is Tough, but Worth It
Top Security Concerns for Low-code and No-code Development
Top Security Concerns for Low-code and No-code Development
The Abbreviated Guide to The Digital Data Chain
The Abbreviated Guide to The Digital Data Chain

The Alpha platform is the only unified mobile and web app development and deployment environment with distinct “no-code” and “low-code” components. Using the Alpha TransForm no-code product, business users and developers can take full advantage of all the capabilities of the smartphone to turn any form into a mobile app in minutes, and power users can add advanced app functionality with Alpha TransForm's built-in programming language. IT developers can use the Alpha Anywhere low-code environment to develop complex web or mobile business apps from scratch, integrate data with existing systems of record and workflows (including data collected via Alpha TransForm), and add additional security or authentication requirements to protect corporate data.

Comment