When choosing which software to use for their business, healthcare organizations must assess whether the software is HIPAA compliant. Many software providers meet HIPAA Security Rule requirements by implementing safeguards to keep patient data secure. However, there’s more to HIPAA-compliant software than security. There are certain requirements that must be met by software providers before they can be considered HIPAA compliant.
When Does Software Need to be HIPAA Compliant?
Before discussing what is required for HIPAA-compliant software, it is important to understand when software needs to be HIPAA compliant. When software is used to create, store, transmit, or receive electronic protected health information (ePHI), the software must be HIPAA compliant. In these instances, software providers are considered business associates and therefore must have security measures in place to secure ePHI and have signed business associate agreements with healthcare clients.
What is Electronic Protected Health Information?
Protected health information (PHI) is any individually identifiable health information related to the past, present, or future provision of healthcare by a covered entity. Electronic PHI (ePHI) is any protected health information that is created, stored, transmitted, or received in any electronic format or media. Some examples of PHI include patients’ names, email addresses, and Social Security numbers.
HIPAA Security Requirements
HIPAA compliant software ensures the confidentiality, integrity, and availability of ePHI through HIPAA safeguards. The HIPAA Security Rule provides guidance on what security measures should be implemented to do so.
- User Authentication: HIPAA compliant software enables administrators to provide unique login credentials for each of their employees. The HIPAA Security Rule requires entities to “implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”
- Access Controls: HIPAA also requires ePHI access to be limited to the minimum necessary to perform a job function, so entities must “implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.”
- Audit Logs: to ensure that ePHI access is in accordance with the minimum necessary standard, entities must “implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
- Encryption: to prevent unauthorized access to ePHI, entities must “implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.”
- Offsite Data Backup: to prevent data loss, entities must “Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.”
- Other HIPAA Requirements
As a software provider servicing healthcare clients, not only does your software need to have security measures in place to protect ePHI, but also you must be HIPAA compliant.
HIPAA requires business associates to implement an effective HIPAA compliance program as follows.
Business Associate Agreements
A key component of HIPAA compliance is the ability to sign a business associate agreement. Business associate agreements (BAAs) are legal contracts between healthcare organizations and business associates that require each signing party to be HIPAA compliant and be responsible for maintaining their compliance.
Since BAAs require each party to be responsible for upholding HIPAA compliance standards, they also limit liability in the event of a breach. With an increase in healthcare organizations being breached through their business associates, it’s more important than ever to secure BAAs with all healthcare clients.
To be a HIPAA compliant software provider, you must also have signed BAAs with your vendors that have the potential to access the ePHI that your clients filter through your software.
Risk Assessments and Remediation
Each year, it is important to conduct risk assessments to identify risks and vulnerabilities to ePHI. There is a common misconception that conducting a security risk analysis is enough to meet HIPAA self-auditing requirements; however, business associates must also complete the HITECH Subtitle D Security Standards, Asset, and Device, and Physical Site audits.
To be HIPAA compliant, organizations must implement remediation plans to address deficiencies found by conducting these self-audits. Remediation plans must include how the issue will be addressed, a timeline for when it will be remedied, and who is responsible for implementing the plan.
HIPAA Policies and Procedures
To ensure adherence to HIPAA, organizations must have written HIPAA Privacy, Security, and Breach Notification policies and procedures. These policies and procedures should dictate the proper uses and disclosures of ePHI, how the software provider protects ePHI, and what to do in the event of an ePHI breach.
It is important that policies and procedures are customized for a specific organization. HIPAA requires business associates to implement “reasonably appropriate” measures to secure ePHI. However, what is considered a reasonably appropriate measure for a large organization would not necessarily be so for a small business. The policies and procedures must directly correlate with how that specific business operates. To be HIPAA compliant, the policies and procedures must be reviewed annually and amended when appropriate.
HIPAA Employee Training
A large portion of HIPAA breaches occur due to human error. The best way to avoid this type of breach is to train employees on HIPAA basics, your organization’s HIPAA policies and procedures, and cybersecurity best practices. Since each employee must be trained upon hire and HIPAA imposes annual training requirements, conducting one annual training session a year is not sufficient. As such, tracking employee training can be difficult and lead to a lapse in HIPAA compliance. To meet training requirements, it is best to use a HIPAA software solution in which employees can complete individual training that allows them to legally attest that they agree to adhere to the training material. Using software for training also allows administrators to easily track and manage employee training, ensuring that all employees are trained in a timely manner.
Breach Reporting and Incident Response
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) requires business associates to report breaches affecting ePHI. Breaches affecting less than 500 patients must be reported within 60 days from the end of the calendar year (March 1st) in which they were discovered. These breaches must be reported to the HHS’ OCR and breach notification letters must be mailed to affected individuals.
Breaches affecting 500 or more patients must be reported within 60 days of discovery. These breaches must be reported to the HHS’ OCR, affected patients, and local media outlets. Breaches affecting 500 or more patients are also listed on the OCR online breach portal for public scrutiny, colloquially known as the “HIPAA Wall of Shame.”
Business associates that have been breached must contract third-party forensic investigators to determine what caused the breach, to understand how many patients were affected, and remedy the security deficiencies that led to the breach. They are also subject to investigation by the HHS’ OCR to determine whether or not the breach was due to negligence. When OCR investigations determine that a breach was caused by a failure to adequately protect ePHI, it is deemed a HIPAA violation subject to remediation, OCR monitoring, and fines.
Contributed by Compliancy Group
HIPAA should be simple. That’s why Compliancy Group is the only HIPAA software with expert Compliance Coaches® holding your hand to simplify compliance. Compliancy Group gives you confidence in your compliance plan, increasing customer loyalty, and profitability of your organization while reducing risk. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!