Architecting for HIPAA on Tadabase

Introduction

This document is intended for Tadabase customers who have a Business Associate Addendum (BAA) in place with Tadabase or intend to enter into a BAA with Tadabase. This document provides specific guidelines on how customers can use Tadabase to develop HIPAA compliant applications and workflows. 

Tadabase believes that security and compliance are shared responsibilities between Tadabase and the customer. We have implemented certain HIPAA controls to protect our customers' data, and additional safeguards are necessary for customers seeking HIPAA compliance.

Tadabase is committed to providing the services and tools required to configure for these additional requirements. It is the customer's responsibility to ensure that their applications and workflows built on Tadabase make use of these tools to design a solution that supports HIPAA compliance. Throughout this document, we have indicated whether each Tadabase feature is required for HIPAA compliance or recommended for enhanced security. We have also highlighted use cases that customers should avoid at this time. Additionally, there are sections that provide special considerations for customers to be aware of under certain circumstances.

Have questions? Book a time to chat so we can discuss how Tadabase can support your compliance needs.

A technical overview

Before getting into the specifics of being HIPAA compliant, let’s first understand what HIPAA compliance means. Once we get an idea of the overarching scope, we can dig deeper into how to achieve compliance. 

What is HIPAA and HIPAA Compliance?

In the healthcare industry, safeguarding sensitive patient information is paramount. The  Health Insurance Portability and Accountability Act (HIPAA) sets forth stringent standards and regulations to ensure the confidentiality, integrity, and security of electronic Protected Health Information (ePHI) - information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity or a Business Associate and can be linked to a specific individual. 

Compliance with HIPAA is not optional; it's a legal requirement for healthcare organizations and those handling ePHI. Achieving HIPAA compliance involves adhering to a comprehensive set of rules designed to protect patient privacy and secure patient information. This includes implementing appropriate physical, administrative, and technical safeguards to protect ePHI, conducting risk assessments regularly, and ensuring that all staff are trained on HIPAA regulations. Compliance not only ensures legal conformity but also builds trust with patients by protecting their sensitive information from unauthorized access and breaches.

Business Associate Agreement (BAA)

In the context of HIPAA compliance, a  Business Associate Agreement (BAA) is an essential document that formalizes the relationship between a covered entity and a business associate. This agreement is crucial as it outlines the responsibilities of the business associate in protecting electronic Protected Health Information (ePHI) in accordance with HIPAA standards. For Tadabase users, signing a BAA with Tadabase is a necessary step for any entity that handles ePHI, ensuring that both parties are legally bound to uphold the privacy and security measures required by HIPAA. This legal requirement not only reinforces the commitment to safeguarding patient data but also defines the protocols for reporting any potential data breaches, thereby providing a framework for compliance and accountability. Using Tadabase, organizations can configure these safeguards effectively, ensuring that ePHI is managed securely and in compliance with HIPAA standards. Compliance not only ensures legal conformity but also builds trust with patients by protecting their sensitive information from unauthorized access and breaches.

Access Control

One of the core technical safeguards outlined in the HIPAA Security Rule is access control. Access control involves carefully regulating who can access ePHI, ensuring that only authorized individuals can view or modify this critical data. To achieve this, HIPAA mandates several specifications, some of which are strictly required, and others that are addressable.

Required Aspects under Access Control

1. Unique User Identification: Every employee must be assigned a unique identifier, such as a name or number, to track their activities and identify them in all digital interactions.

2. Emergency Access Procedure: Robust procedures should be established and implemented for retrieving ePHI in case of emergencies.

3. Authentication: Organizations must implement procedures to verify that the entity requesting access to ePHI is indeed the one claimed.

Audit Control

Audit control is the second critical aspect of HIPAA's technical safeguards. It involves the systematic recording and monitoring of all activities related to ePHI. The core requirement here is to implement hardware, software, and procedural safeguards that record and examine activity within information systems that use or contain ePHI. This practice ensures that any unauthorized access or modifications can be identified and investigated promptly, aligning with the broader goal of enhancing ePHI security.

Integrity Control

Integrity controls focus on preserving the integrity of ePHI, ensuring that it remains unaltered or undestroyed. This is vital for maintaining patient safety and treatment quality. The addressable aspect under integrity controls is the implementation of electronic measures to confirm that ePHI has not been tampered with in an unauthorized manner. These controls are designed to prevent the accidental or deliberate destruction of ePHI, whether through human error or electronic mishaps.

Person or Entity Authentication

Person or entity authentication, while related to access control, provides organizations with flexibility in how they require users to identify themselves before gaining access to ePHI. This can involve various methods such as passwords, pins, smart cards, biometrics like fingerprints, facial recognition, or voice recognition. The specific authentication methods chosen will depend on the unique needs and security policies of each organization.

Transmission Security

The final technical safeguard requirement, transmission security, focuses on preventing unauthorized access to ePHI during electronic transmission. This safeguard ensures that ePHI remains secure while being shared electronically, such as via email or other digital channels. Encryption and integrity controls are key measures to safeguard ePHI during transmission.

For a more in-depth understanding of HIPAA's Security Rule and its technical safeguards, you can refer to the Department of Health and Human Services (HHS) website, which provides detailed information on HIPAA security requirements.

Designation of HIPAA accounts

Customers seeking to develop HIPAA compliant workflows on Tadabase will need to acquire a HIPAA Add-On subscription that includes HIPAA Accounts. This package allows customers to designate their Apps as HIPAA eligible. For those customers who have entered into a BAA with Tadabase, it is crucial to specify which of their Tadabase apps are designated as HIPAA apps.

Customers are permitted to utilize any Tadabase app and services under the designated HIPAA apps. However, it's important to note that workflows potentially containing Protected Health Information (PHI) can only be constructed using HIPAA Eligible Products and Services. The Projects and Subaccounts designated as HIPAA compliant cannot be used to process, store, or transmit PHI using Tadabase products and services that lack HIPAA eligibility.

If an account is designated as a HIPAA account at the time of signing a BAA, any new apps created subsequently within that account will also be automatically marked as HIPAA apps. Apps that existed prior to the BAA signing, unless specified in the BAA, will not automatically receive the HIPAA designation. In cases where only select apps are designated as HIPAA apps upon signing the BAA, customers must request that any apps created later also be designated as HIPAA apps. Similarly, if new apps are created after the BAA signing, customers need to request that the new app be designated as a HIPAA app.

Customers have the option to reach out to their Tadabase Account Representative or contact Support to enable HIPAA eligibility for new Projects.

Recognizing that customers rely on Tadabase's products and services to power their applications and critical communication workflows, Tadabase is committed to providing at least 180 days' notice to customers before deprecating any HIPAA eligible products and services. Any notices of depreciation will be posted as updates to this document.

Changes to Tadabase Experience from HIPAA Accounts

When an app is designated as HIPAA compliant within Tadabase, there will be some minor adjustments to the customer's user experience:

The Builder experience with HIPAA designation will include an automatic logoff triggered after 15 minutes of inactivity. This measure is in place to enhance security, as the Tadabase Console may contain the customer's Protected Health Information (PHI).

Furthermore, any changes specific to individual Tadabase products resulting from HIPAA Accounts are detailed under each product's respective section within this document.

Read the full case study

Customer Requirements for All Tadabase apps

This section outlines the set of required and recommended best practices for building a HIPAA compliant app on Tadabase, regardless of which products and services are being used.

Security and Compliance

Tadabase offers a range of features to help customers enhance security and compliance when developing applications with Tadabase's platform. This section outlines the requirements for creating HIPAA-compliant workflows and provides recommended best practices for ensuring optimal security.

Required for HIPAA

Encrypted Communication

Tadabase supports encryption to safeguard communications between Tadabase and your web application. Customers developing HIPAA-compliant workflows must use HTTPS for making requests to Tadabase and configure Tadabase's requests to be sent to the customer over HTTPS as well.

Record Logging

Enabling record logging is crucial for HIPAA compliance because it allows meticulous tracking and logging of all modifications made to data stored with the Tadabase system. This feature provides essential details such as the location of changes, timestamps, and IP addresses associated with each alteration.

Delete Logging

In conjunction with record logging, delete logging allows organizations to monitor and document all instances of deleted records. This feature provides essential information, including the time of deletion, the source of deletion, and the associated IP address. By maintaining these detailed logs, healthcare entities can demonstrate compliance with HIPAA regulations, ensuring a secure and accountable data management system.

Secure Buckets Only

Enabling the "Secured" feature for uploaded files is akin to placing a digital vault around sensitive healthcare data, a crucial step in safeguarding patient information as per HIPAA regulations. This advanced setting adds an extra layer of security, allowing files to be stored in a Tadabase S3 bucket with specific access restrictions. By default, files are open for viewing and downloading. However, once a File or Attachments field is secured, access to viewing or downloading uploaded files is limited to authenticated users. Only those logging into the Tadabase Builder or the Published Application can access these files, ensuring that confidential patient records remain confidential, meeting the stringent security demands of HIPAA guidelines.

As a result, some functions with the Tadabase Builder are no longer supported. For example, including uploaded files as attachments in “form component email notifications” is not supported due to the possible unauthorized exposure of PHI. If you wish to bypass this for uploaded files that do not include PHI, a purpose-built Pipe can be used to send secure files via email.

Secure Layouts, Pages, and Rows

Securing Layouts and Pages within Tadabase ensures you meet the standard of HIPAA compliance for applications handling sensitive patient data. By default, when a user creates a Tadabase app without securing the Pages or Layouts, it leaves the app vulnerable to unauthorized access.

Layout and Page security functionality enables app creators to establish custom security permissions for specific Pages. This is achieved through the Page Security section within the Settings tab of a selected Page's navigation menu. There are three primary security options:

1. Anyone, no login required: This default setting makes the page visible to anyone, without requiring a login. It's essential to restrict this access for any sensitive patient data.

2. Only Logged In Users: Enabling this option ensures that only users who are logged into the app can view the Page. However, this setting does not differentiate between user roles, making it necessary to implement more specific security measures.

3. Only Users In Specific Roles: This option allows the app  creator to secure the Page by assigning specific user roles. When selected, the creator can choose one or multiple roles, limiting access to only users assigned to these roles. Users matching any selected roles will have permission to access the secured Page.

Implementing Layout and Page security is vital for HIPAA compliance as it ensures that sensitive patient data is accessible only to authorized personnel, maintaining the confidentiality and integrity of the information. Additionally, access can be controlled at the granular level of individual Page Rows within the Page ensuring that app creators can create a secure environment that aligns with HIPAA regulations and protects patient privacy.

App Auto Logout

In healthcare environments, especially those dealing with sensitive patient data, it is imperative to safeguard against unauthorized access in case a user forgets to log out or leaves their session unattended. 

By automatically logging users out after a specified period of inactivity, this feature significantly reduces the risk of unauthorized access to patient records and other confidential information.

Incorporating the Auto Logout feature is not just a best practice but a regulatory requirement in the context of HIPAA compliance. By automatically terminating inactive sessions, Tadabase applications can effectively mitigate risks, uphold patient confidentiality, and maintain the integrity of sensitive healthcare data, aligning with the stringent standards set forth by HIPAA regulations.

Login Logs

Login Logs offer real-time insights into user activities, enabling administrators to monitor login patterns and detect suspicious behavior promptly. This proactive approach enhances security measures and helps prevent unauthorized access attempts.

HIPAA compliance mandates robust audit trails. Login Logs serve as a comprehensive audit trail by documenting user logins and associated details. This documentation is invaluable during compliance audits, demonstrating adherence to regulatory requirements.

In the event of a security incident or breach, detailed login information becomes invaluable. Login Logs provide essential data points for investigating incidents, identifying the source of unauthorized access, and implementing corrective actions to prevent future breaches.

Password Minimums

Strong passwords act as the first line of defense against unauthorized access. By enforcing complex password requirements, such as a combination of uppercase and lowercase letters, numbers, and special characters, the system ensures that user accounts remain secure and protected from potential breaches.

Support Tickets

Customers should refrain from including Protected Health Information (PHI) in any support tickets submitted through Tadabase's Support Center, whether via the Console, Email, or Chat with Support Agents.

Recommended for HIPAA

This section outlines tweaks and optimizations that can be done for added recommendations.

HIPAA Training

HIPAA training is essential for all personnel who have access to protected health information (PHI). It is crucial to ensure that everyone using Tadabase in a HIPAA-compliant environment is aware of the rules and regulations surrounding PHI.

To achieve HIPAA training compliance using Tadabase:

• User Education: Provide comprehensive training to your team on HIPAA regulations, Tadabase security features, and best practices for handling PHI within the platform.
• Documentation: Maintain records of employee training and ensure that new team members receive HIPAA training upon joining.

IP Whitelisting

IP whitelisting restricts access to your Tadabase application from specific IP addresses, adding an extra layer of security.

To implement IP whitelisting in Tadabase, follow these steps:

• Access Settings: In your Tadabase account, navigate to the application settings.
• Security: Find the security or access control section and look for the IP whitelisting feature.
• Configure Whitelist: Add the IP addresses or ranges that are allowed to access your Tadabase application. Ensure that only authorized personnel can access PHI.

Review Sessions

Regularly reviewing active user sessions helps ensure that no unauthorized access is occurring.

• Session Management: Go to your Tadabase application settings.
• Security: Look for the session management or activity log section.
• Review Active Sessions: Periodically check the list of active user sessions and log out any suspicious or unauthorized sessions.

Name and Rotate Keys

API keys are used to connect external services to your Tadabase application. Naming and rotating them enhances security.

To manage API keys in Tadabase:

1. API Key Management: In your Tadabase account, go to the API Settings section.

2. Naming Convention: Assign clear and descriptive names to your API keys for easy identification.

3. Rotation: Periodically rotate API keys to mitigate the risk of unauthorized access. Ensure that the old keys are deactivated.

Require Page Version Comments

Requiring version comments helps maintain a clear change history for your Tadabase application, which is crucial for compliance and auditing.

To require version comments in Tadabase:

1. Version Control: Access the version control settings within your Tadabase application.

2. Enforce Comments: Enable the option to require comments when making changes to your application. This ensures that all modifications are documented.

Share Minimum Necessary Access to App

Sharing minimum necessary access ensures that only authorized users have access to sensitive data within your Tadabase application.

• User Roles: Define user roles with appropriate permissions within your Tadabase application.
• Access Control: Assign these roles to users based on their job responsibilities and the minimum access level required to perform their tasks.

Review Shared App Access

Regularly reviewing shared app access is essential to prevent unauthorized users from accessing your Tadabase application.

• User Management: Navigate to the user management or access control section in your Tadabase application.
• Access Permissions: Review the list of users with access and ensure that only authorized personnel have permission to access and modify data.

Review Change Logs

Reviewing change logs helps maintain transparency and accountability in your Tadabase application, which is crucial for HIPAA compliance.

To review change logs in Tadabase:

• Audit Trail: Access the Logs within the Settings of your app.
• Regular Auditing: Periodically review the change logs to track all modifications made to your data and applications.

Ensure Backups Are Working Properly

Regular backups are essential to ensure data recovery in case of any unforeseen events or data loss.

To ensure backups are working properly in Tadabase:

• Backup Settings: Check the backup settings and backup logs within your Tadabase application.
• Regular Testing: Periodically test the backup and recovery process to ensure data can be restored successfully.

Remove Batch Operations Unless Very Necessary

Limiting batch operations helps minimize the risk of accidental data breaches or unauthorized data access.

To remove batch operations in Tadabase:

• Application Settings: Review your Tadabase application settings and restrict batch operations to only authorized personnel.
• Training: Educate your team on the importance of using batch operations sparingly and with caution.

Conclusion

This blog post provides a comprehensive guide for Tadabase customers who are either currently under a Business Associate Addendum (BAA) or are considering one, detailing how to build HIPAA-compliant applications and workflows. It underscores the shared responsibility between Tadabase and its customers in ensuring compliance, highlights critical technical safeguards such as access, audit, integrity, authentication, and transmission security, and explains the importance of proper designation of HIPAA accounts. Additionally, it outlines customer obligations for securing data and enhancing security measures, while also adjusting user experience to align with HIPAA standards. This guide serves as a crucial resource for leveraging Tadabase's capabilities to meet stringent healthcare data protection regulations effectively.

Frequently Asked Questions (FAQs)

1. What is HIPAA?

HIPAA, the Health Insurance Portability and Accountability Act, is a US law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals, and other health care providers.

2. What is HIPAA compliance, and why is it important for healthcare software?

HIPAA compliance refers to adherence to the Health Insurance Portability and Accountability Act, which is crucial for safeguarding patient data privacy and security in the healthcare industry. Ensuring HIPAA compliance helps protect sensitive healthcare information from unauthorized access and breaches.

3. What is a Business Associate Addendum (BAA) and why do I need one with Tadabase?

A Business Associate Addendum (BAA) is a legal document required under HIPAA that outlines the responsibilities of a business associate, like Tadabase, in handling protected health information (PHI). It is necessary for ensuring that all parties involved comply with HIPAA regulations when dealing with ePHI.

4. How does Tadabase ensure the security of electronic Protected Health Information (ePHI)?

Tadabase implements several technical safeguards such as encrypted communications, secure storage, access controls, and audit trails to ensure the security and integrity of ePHI.

5. Can I designate any Tadabase app as HIPAA compliant?

Only apps that are specifically designated as HIPAA compliant and are part of a HIPAA Add-On subscription can be used for workflows that handle PHI.

6. What happens if I need to add new apps under my existing BAA with Tadabase?

New apps created within an account that already has a BAA need to be specifically designated as HIPAA compliant. This can be arranged through contacting Tadabase support or your account representative.

7. Are there specific features in Tadabase that I must use to be HIPAA compliant?

Yes, certain features are mandatory for HIPAA compliance, such as encrypted communication, secure buckets, auto logout, and detailed logging of records and deletions. Tadabase provides guidelines on which features are required and which are recommended for enhanced security.

8. How does Tadabase handle updates and changes to HIPAA eligible products?

Tadabase commits to providing at least 180 days' notice before deprecating any HIPAA eligible products and services, ensuring that customers have ample time to adjust their applications and workflows.

9. What should I do if there is a security concern or breach in my HIPAA-compliant app?

Immediate contact with Tadabase support is advised along with following the incident response procedures outlined in your BAA. Tadabase will assist in investigating the issue and implementing corrective measures.

10. How can I train my staff on HIPAA compliance within Tadabase?

Tadabase recommends providing comprehensive training on HIPAA regulations, Tadabase security features, and best practices for handling PHI. Documentation of training sessions and ensuring all new team members are trained is also crucial.

11. Can I store patient records and sensitive medical information in Tadabase?

Absolutely. Tadabase provides a secure environment for storing and managing patient records and sensitive medical information. Our platform is designed to handle such data while adhering to HIPAA regulations.

12. Do you offer signed Business Associate Agreements (BAAs)?

Yes, we sign Business Associate Agreements (BAAs) with customers on a HIPAA plan. This formalizes our commitment to maintaining HIPAA compliance and protecting your healthcare data.

13. Can I integrate Tadabase with other healthcare systems and software?

Yes, Tadabase is designed to be compatible with various healthcare systems and software. Our platform offers integration capabilities to streamline your healthcare operations.

Explore all frequently asked questions

Schedule a free demo