How We’ve Adapted HIPAA Video to Meet the GDPR20 June 2018
In past few years we’ve seen more than a few failures to protect user data on part of the most renowned companies of the digital world. This just used to happen. With so many great things brought by innovation, privacy and ethical data policies seem to have taken a priority a bit lower than what was due.
With GDPR everything changed. General Data Protection Regulation is a legal framework that gives users much more control over their data trail. Having come into effect on May 25, 2018 in Europe, it offers more security in terms of personal information and obligates software companies to take special measures in order to protect user privacy.
The development of HIPAA video took place in times of many huge shifts in the world of software as well as the global stance on how personal data should be processed. WebRTC technology was quite raw at the time, and we were among the pioneers to harness it with HIPAA video by creating a fully viable digital product. Our team made sure HIPAA Video was adjusted for international health standards which also had to do with data privacy. However, GDPR had added some grounds we had to cover on additional basis.
SOFTWARE AND HEALTH
HIPAA Video is the latest web application for more accessible healthcare that now allows doctors and their patients to communicate by video calls. It’s a great option for post-treatment follow-ups and consultations that don’t require patients to be examined in person. In addition, it offers enhanced management dashboard both for the physician and client. This enables them to lead a textual exchange, file transfer and organize their interaction in a seamless fashion. Today, we are proud to say we were the technical team behind the project.
As the name suggests, HIPAA Video was initially designed to meet the Health Insurance Portability and Accountability Act and thus be officially allowed in medical practice by hospitals and individual doctors on US soil. When comparing HIPAA to GDPR, which replaced a European directive that dated back to 1995, the law of 2018 had a few more specifics that demand additional actions on part of the developer.
WHAT DID GDPR MEAN FOR US?
First and foremost, based in the US and processing all the data in North America, HIPAA Video did not fall under the regulations of the past. Now, GDPR obligates any company stationed in any part of the world to comply and enact a number of mechanisms for transparent data acquisition, processing as well as control on part of the client. Doesn’t matter where your HQ is, if you use the data of European citizens, you are accountable.
The definition of personal data in GDPR is any information regarding an individual that can explicitly or implicitly identify the person. This applies to the name, location data, online identifier and cues on genetic, mental, economic or cultural identity. It is quite broad, as technically even your IP address can be classified as personal. On top of that, our app deals with medicine. In accordance with HIPAA, we’ve already encrypted the confidential data that has to do with personal health by creating well-defined barriers between the administrators, practitioners and patients. Aside from the patients, medical doctors are an equally significant group of our clients, and so they also do avail of GDPR and the information regarding their medical practice is secured in due manner.
With GDPR the Terms of Service have to be more than explicit. The manner in which you are reaching out to obtain the agreement to these terms also has to be very clear and up in their face. You cannot present your user with a filled checkbox and allow them to seamlessly click through. HIPAA Video has to do with extremely sensitive data, and so we’ve ramped up our way of presenting the Terms of Service as well as getting a vivid and unambiguous agreement from the user. In cooperation with legal advisors and the team at HIPAA Video our UX/UI designers have come up with a written form of agreement much similar to that of registration in an actual hospital. This agreement is presented to the user and they manually sign it in order to continue through registration. In case the healthcare services are being distributed towards persons who are not of legal age, the modified version of the agreement is created for parental consent.
The accumulation of data should be limited to the purposes of the offered services without going beyond them. Data should also be gathered only within timespan the services are being distributed. For this reason, our technical specialists have implemented a number of stop functions that ensure HIPAA VIDEO is not gathering any data when it’s off and cannot be tapped onto by any third-parties to such ends.
Users are enabled to reach out to the company with inquiries on collected personal data. This includes written confirmation of the fact that personal data is being collected, the exact entities processing the data, location and intents of processing, categories of processed data, timeframe of data accumulation, instances of disclosure to third-parties (client-patient in our case) as well as confirmation of the source from which the data was obtained. This information is included into the terms of service to limit the amount of incoming queries, and, of course, we have retrofitted the web platform with automatic reply system that responds to these email inquiries.
Another thing users can do under GDPR is externally managing their accumulated data within the app they are using. First of all, it was a part of our job to make sure that users are able to export their accumulated data. We’ve included it as a separate option in the settings. Patients can download their personal data as a text report that is easy to get around. Continuing to another GDPR requirement that is transferring user data to another entity upon request from the user, this report generation form is modified for easy transfer of individual user data to another telehealth application or medical institution. Not to mention any doctor within the app, should the need arise. When speaking about the right to cease the accumulation of data, we’ve included a handle to enable a mode in which no data is stored within the app. However, such course is limiting towards the functionality as the cookies and local storages are enabling many convenient features of the app users are accustomed to. Last but not least, in lines with the Right to Erasure and Right to Be Forgotten, the user can permanently delete all of their data via the respective option in the settings.
When it comes to security of personal data, not much had changed in our project map as we’ve made extensive efforts to comply with HIPAA and European standards for medical secrecy. All user data storages and exchange are encrypted. We’ve used TSL, TDL and Role-based Authorization for the web app login which eliminate the possibilities of hacking.
The whole construct is modular. For this reason, any breach with malicious intent would allow only a very limited field of view and low access within the scope of a singular module. Additionally, the admins get hold of a global log that triggers alerts in case of any suspicious activities. Thanks to the log module, all activities are clearly listed and instances of data breach can be officially reported in an obvious manner. Which is highly relevant as, with GDPR, cases of data loss have to be disclosed on a very short notice.
Aside from data theft, the new laws also obligate the creators of any digital product to protect user-data from damage and loss which can simply occur due to system malfunction or even wear and tear of hardware. Our team had implemented a sound technical solution that logs failures and locks down the system nodes that couldn’t perform. To revert any possible damage that can occur due to system failure, regular backups are in place to recover the data that can potentially be lost.
The right to request the correction of data on part of the user is utilized via the usual account editing in the personal settings that is not a novelty to any standard app as of today.
In the end, HIPAA Video turned out to be a powerful telehealth web application that is now redefining healthcare distribution and does its part to remove yet a few more roadblocks on the way to more accessible medical assistance. For our team it was a very positive learning experience and yet another accolade that we are truly proud of.
As for the changes brought by GDPR, they have been long overdue in the new digital economy. The companies are wielding tremendous power that is only going to increase as the technology is improving dramatically. The upgraded set of regulations to protect user data had finally defined a rightful course of conduct in the industry and ultimately allowed users to have more faith in the upcoming innovative solutions. Overall, for us, adapting HIPAA Video to GDPR did not entail any dramatic shifts to our efforts. As we’ve said, the app had originally covered the requirements to qualify for HIPAA regulations that were much similar to GDPR. We are already seeing that HIPAA Video is making a good progress, and we are really happy that it is equally adapted to help users in any part of the globe.