An Overview of HIPAA and How End-to-End Encryption Can Help with Compliance

Rebecca YarbroughNovember 29th, 2018

An important note: many companies come to Virgil Security with questions about HIPAA and end-to-end encryption. We’ll try to answer many common questions here. It’s important to note that this is not legal advice, and should not be treated that way. HIPAA is complex, and you should consult legal experts regarding your product’s own HIPAA compliance.

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996, known as HIPAA, regulates a large range of medical activities, ranging from insurance coverage to breach reporting. We’ll focus on the what it says about medical data, specifically protected health information (PHI). Those rules are found in the Administrative Simplification rules within Title II of HIPAA.

Do I have to be HIPAA compliant?

It’s helpful to think about HIPAA compliance as a chain of liability. You don’t want to be the weakest link.

The hospitals, doctors, insurers, etc. are known as “Covered Entities.” Anyone who’s handling PHI on their behalf is known as a “Business Associate.” Business Associates also have to be HIPAA compliant and are subject to penalties and enforcement if they’re caught violating any of HIPAA’s rules.

Covered Entities will not let anyone touch their PHI without signing a contract known as a Business Associate Agreement (BAA) to transfer compliance liability. So if you want to play in the healthcare space, you’ll need to deal with HIPAA either through compliance or by structuring your product so that you’re not touching PHI.

How do I comply with HIPAA?

Good question. We can’t answer this for you, but we can give you a brief overview and explain where we come in.

HIPAA’s rules on PHI focus on user privacy, data security and breach reporting. If you think about it, this could touch basically everything in your business. Fines have been levied against companies for both electronic and physical data security, including company laptops with PHI on them being stolen, patient records being improperly shredded, and more.

If you want to be HIPAA compliant, you need to ensure that PHI is secure and private at every moment in your product. There are many guides, checklists and consultants available to help you navigate your compliance journey, but there is no official stamp of approval that certifies you are HIPAA compliant. Instead, you can undergo a self-audit before hiring an outside firm to perform an external review that a Covered Entity will trust. And of course, HIPAA compliance requires a holistic approach with help from legal counsel (not just blog posts like this one).

HIPAA is something to be taken very seriously. The fines and penalties for non-compliance can cost companies their reputation and millions of dollars in fines and can include civil and criminal convictions for individuals. Because it’s so onerous, HIPAA can be a significant barrier to innovation and disruption in the healthcare space.

Do services I use need to be HIPAA compliant?

Yes. If you’re handling PHI, that means that any third party service you give access to that PHI needs to be HIPAA-compliant and needs to sign a BAA with you to assume that liability. For instance, any service you’re using to send around PHI (like email, messaging, cloud storage, etc.) needs to be HIPAA compliant and sign a BAA.

But even if you’re using HIPAA-compliant services, that might not be enough to protect yourself from data breaches. If PHI is exposed, you could still be held responsible.

Why? Well, one of the most frustrating aspects of data security is that it’s almost impossible to make things completely, 100% secure because humans are typically the weakest link. Whether it’s the engineering team making a development mistake like not properly configuring your security rules or an administrative team member clicking on a phishing email, accidents do happen and your company can be responsible for those accidents.

Check out this list of HIPAA violations and accompanying fines and you’ll see that many violations are related to a person making a mistake or error in judgement, and the company had not built a safety net to prevent that mistake from exposing PHI.

Many healthcare companies now use end-to-end encryption as a safety net in addition to using a HIPAA-compliant cloud service. If and when human errors are made, data might beach out but it’ll be encrypted and look like jibberish. It can only be decrypted (and read) using the patients’ keys to which only the patient and the relevant caregivers have access.

Implementing end-to-end encryption takes slightly more effort at the beginning, but can save a company from being held responsible for a third party or internal team member’s mistake.

Can I use Virgil Security to achieve HIPAA compliance when I’m using a cloud service that’s not HIPAA compliant?

If you’re using a messaging platform, mobile backend as a service, or cloud service that is not HIPAA compliant or if you’ve built your own, you can use Virgil Security’s end-to-encryption to secure the ePHI in your product in a way that’s HIPAA compliant.

This is achieved through a two-pronged approach:

  1. End-to-end encryption of ePHI secures the data and de-identifies the data
  2. Immediate redaction of message data (including metadata) can allow you to be classified as a courier (called “conduit” in HIPAA language), which can exempt you from HIPAA altogether (unless your product is handling ePHI in other ways)

End-to-end encryption makes it impossible for anyone but the two designated end points to access or intercept any data that you’ve encrypted in your healthcare app. Technically then, they’re not handling PHI.

Think back to the chain of liability. If you use end-to-end encryption and message redaction to prevent others from handling PHI, you’re limiting the chain of liability and simplifying your compliance needs (and your life, too).

Learn how it works with Firebase here. You can implement the same concepts in your own product.

Important: using Virgil’s end-to-end encryption SDK to build a HIPAA-compliant communications function within your app does not necessarily make your entire healthcare app HIPAA-compliant. Securing ePHI and protecting user privacy via end-to-end encryption is one piece of the compliance puzzle.

Why does this matter?

HIPAA compliance is complicated and costly, and this burden prevents new potential players from entering the healthcare market. Many healthcare apps are mainly chat or data transfer, so an end-to-end encryption SDK that makes an app’s core function HIPAA-compliant opens the market to new players and also keeps ePHI safer.

Additionally, existing enterprise HIPAA compliance schemes can be unwieldy and insecure. Replacing enterprise compliance solutions with end-to-end encryption brings healthcare security to the 21st century.

How does Virgil’s technology work?

Virgil Security has open source SDKs that allow you to end-to-end encrypt data on and between any device – including mobile phones, servers, desktop computers and IoT devices.

There are three main components to our tech: 1) Virgil Crypto Library that powers the encryption algorithms and functions, 2) Virgil Cards Services that manages the public and private keys that each device needs, and 3) Virgil SDK that connects each client device to Virgil Crypto Library and Virgil Cards Services so that encryption and decryption happens locally on the client side.

Our end-to-end encryption is completely end-to-end. Neither you nor Virgil will be able to see any data that is encrypted using our SDK. Only the message senders and recipients will have access to the plaintext.

What can I end-to-end encrypt?

Anything – chat messages, files, photos, sensory data on IoT devices, permanent or temporary data. You decide what data you want to end-to-end encrypt. For example, you might want to keep benign information (like timestamps) in plaintext but end-to-end encrypt the message content.

What are common use cases?

  • Mobile Chat App – includes group chat
  • File Transfer – patient records transfer between patient, provider and/or insurer
  • IoT – medical devices and/or data gathered by the device

What are my other options?

Virgil Security’s product encrypts and authenticates data from Point A to Point B. If your product is more complex and your HIPAA compliance needs extend far beyond just protecting the ePHI in your chat/messaging function, other options like Google Cloud Platform might be better for you.

What are the downsides to end-to-end encryption?

End-to-end encryption simplifies your healthcare security system by locking up data except for the end users. That could create other issues that you should think through in advance:

  • You won’t be able to view the customer data that you’ve end-to-end encrypted. Obviously, this is by design, but it can make things more difficult if you’re looking to troubleshoot a specific customer issue.
  • Similarly, third parties won’t be able to run analytics or other functions on the data that you’ve encrypted. If there’s data that you need to give a third party access to, consider leaving that data unencrypted. But of course, you’ll have to do that in a HIPAA-compliant way.
  • There’s a minor performance hit involved when encrypting and decrypting data. Something along the lines of 1-2 ms per message on the client device. Plus, your clients will need network access whenever they want to encrypt that message (user key lookup is an online operation, which you can cache after it’s done).

Do you have other general security recommendations?

HIPAA requires some level of encryption everywhere you store PHI. Most of our users working on mobile apps end up relying on the phone’s built-in security features. While this is outside of our purview, here are some basic recommendations:

iOS:

  • Block unintended backup from happening when you are storing secrets in the keychain (i.e. use kSecAttrAccessibleWhenUnlockedThisDeviceOnly instead of kSecAttrAccessibleWhenUnlocked).
  • Don’t allow your app run on a rooted / jailbroken device
  • Do not disable SSL certificate validity checking in your app
  • Read through and apply Apple’s security best practices: https://developer.apple.com/library/content/documentation/Security/Conceptual/SecureCodingGuide/Introduction.html

Android:

  • Turn off the auto backup functionality
  • Don’t allow your app to run on a rooted device
  • Do not disable SSL certificate validity checking in your app
  • Read and apply Google’s security best practices: https://developer.android.com/training/best-security.html

How do I get started?

If you’re building on Firebase, start testing our beta e3kit SDK here. Not using Firebase? Get started on our dashboard at https://virgilsecurity.com/.

We chat with customers all day about their healthcare apps, and we’d love to help you with yours. Find us on Slack here.

More HIPAA Resources

Firebase-HIPAA

Twilio-HIPAA

Virgil Security, Inc. gives developers a security toolbox to protect their application data using end-to-end encryption and password security.