When testing healthcare applications, there are many government regulations that the tester must be aware of. These regulations are automatically a part of any requirements, even if not explicitly stated. These regulations will be the same for all healthcare applications so it is incumbent for any testing organization to not only thoroughly understand these regulations but also ensure that the test strategy and test plan accommodates them. For the health care industry in the United States, the main law for these regulations is HIPAA.
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It has two major components.
- Health insurance coverage is protected for workers and their families when they change or lose their jobs.
- National standards are established for the Security and Privacy of private health data while allowing the flow of health information needed to provide and promote high-quality health care and to protect the public’s health and well being.
Security and Privacy of private health data are the main concerns for healthcare software testing and are applicable to all healthcare applications.
To test your product for HIPAA compliance, the five following areas must be covered:
- User Authentication – Using verification methods to ensure that those logging on are who they say they are and to deny access to all others.
- User Authorization – Authorizing access to information is based on user role and patient limitations.
- Audit trail – All transactions and all attempts of data access with a proper set of audit trail information are recorded.
- Data transfers – Ensure data encryption at all transfer points according to ANSI 5010.
- Help Information – Help information on the correct and incorrect uses of data.
There are many other specific regulations that may or may not apply depending on the purpose of your software product. A few of these requirements include:
- When a breach of security is discovered, notification to the consumer affected must be within 60 days.
- Rules for a pre-existing condition are many and complicated. For example, the exclusion period for pre-existing conditions can be 6, 12, or 18 months, depending on the circumstances. These rules are complicated, but compliance must be tested for.
- Rules concerning family members are also varied and complicated.
It’s important for the test strategy and plans to include which parts of the regulations apply and to ensure that the right rules are included in test case design to guarantee proper test coverage. Without this kind of specific domain knowledge, it is difficult to test healthcare software and ensure its quality.