--- title: Health Tech, HIPAA, and Humans teaser: "A brief introduction to HIPAA compliance for developers in health technology. \n" tags: health tech,security,compliance,design,consulting,accessibility author: - Mike Wenger - Sarah Cassidy published_on: 2019-10-25 --- Software is driving improvements in healthcare from how providers diagnose and treat ailments to improving the social determinants of health, such as access to housing and healthy food. These changes will rapidly improve our quality of life, but these advancements do not come easily. Medical technology faces strict compliance standards and newly-developing security threats. The stakes of health technology are usually higher, so it is not always possible to work as lean as on other products when lives are on the line. Whether you are building for biotech, pharma, connected care, hospital systems, or another health-related area, thoughtbot supports organizations in meeting compliance standards and strengthening product development processes to reduce waste and improve patient outcomes. We have seen a number of new developers joining the health field in order to use their skills towards making a positive impact. Having worked with many health technology companies, we have two key pieces of advice for software developers joining a health tech company for the first time. ## HIPAA, HIPAA, Hooray! Every developer in health tech has heard of HIPAA compliance, which stands for the Health Insurance Portability and Accountability Act. Compliance with HIPAA ensures that users’ personal and medical information will be well-protected. It is the job of your development team to ensure that equipment and software systems containing health information be carefully controlled and monitored, and that access is limited to authorized individuals. Dangers you need to be aware of include: - Data being compromised by hackers - Data being lost, stolen, not accounted for, or disposed of improperly - Data disclosed without proper authorization from the patient Data protection under HIPAA requires knowledge of technical and non-technical concerns. On the technical side, you may encounter penetration testing and technical infrastructure requirements to ensure safeguards are in place. On the non-technical side, you may have password policies, new staff onboarding requirements, and incident reporting protocols. The good news is, you don’t have to build this infrastructure work alone. On the technical side, the data providers that you work with can do a great deal of this work for you. Some services like [Heroku Shield](https://www.heroku.com/shield) and [Aptible](https://www.aptible.com/) have a guarantee that they will help you pass your first security audit. They take on a lot of the challenging technical configurations that would be difficult to do if you tried to do it yourself on Amazon Web Services and build it into their hosting products. It is important that employees at every level of your organization are aware of the dangers of ransomware and phishing scams. Emails disguised as internal communication asking for logins or passwords or that cause people to click on links that install malware have brought many health and hospital organizations to a halt. Keeping this in mind when building and adapting systems can help you stay prepared. It is important to remember that HIPAA compliance is not a checkbox with a completion date. It’s an ongoing protocol and process that requires constant adherence and evolves over time. ## Users are People This may sound like a peculiar reminder, but it is important to remember that health technology end-users are human users, and they may be vulnerable human users at that. Whether your systems are powering the machinery that their lives depend on, or if a program is on their phone or a tablet in a doctor’s office, you are building for a population that may be more likely to have disabilities or be less familiar with technology overall. On average, the user did not choose to use that software package; it was provided for them. For this reason, practicing user empathy while building is critically important, as well as taking into account accessibility considerations. Structuring good [accessibility standards](https://www.youtube.com/watch?v=qQj4JLfQvtI) into the design and development process can set things up for a broader user base, especially for people who may have visual or motor impairments or may be using voice technology to access your system. thoughtbot works with health technology companies to improve process and technology so that compliance is guarded throughout the product design and development process. For more information, see [how we helped Healthify grow their team](https://thoughtbot.com/work/healthify) while building compliant applications.