Could I know what would be the HIPAA requirements for a medical device specification developer?
(emphasis added by myself)
It is not in my nature to completely separate the development of
specifications and the development of the software
product, but I will do my best.
The software specifications should at least include:
Accessibility: There are multiple dimensions to this, but access to Patient Health Information (PHI) needs to be strictly limited to authorized persons identified by the responsible organization. Shifting to the software implementation - the software cannot include elements of the design which allow the developer to get into the system/database (no back-doors, no master passwords). The specifications ought to include requirements for multi-factor authentication and possibly a mechanism which restricts access to the system to only specified locations. Multi-factor handshaking protocols and/or encryption may be useful when distributing the PHI between different systems.
Confidentiality: Under no circumstances should any element of PHI be visible except to authorized persons. This includes patient names. It is possible to design databases in such a way that the most user-facing information (e.g. the key to individual records) is not identifiable as an individual. Encryption methodologies can also be specified on this front.
I recommend including detailed specifications for
audit trails which record every access of the PHI records, beyond just the creation and modification of the records. The audit trails aren't going to reduce the risk related to Accessibility/Confidentiality but they will provide a mechanism to assess the effectiveness of those controls in an implemented system.