What is HIPAA Compliance Software?
HIPAA compliance software is a SaaS compliance framework that assists Covered Entities and Business Associates in their compliance efforts by providing all the tools and guidance an organization needs to satisfy the requirements of the HIPAA Privacy, Security, and Breach Notification Rules, and Subtitle D of the HITECH Act.
If your organization is subject to the rules of Health Insurance Portability and Accountability Act (HIPAA) you will understand how challenging it is to ensure you have developed policies and procedures that cover every applicable HIPAA standard. The challenge is complicated by some standards applying to some organizations, but not to others, and by some implementation specifications being required, while others are addressable.
The task of navigating the HIPAA standards, finding out which standards apply, and developing policies to comply with applicable standards can be assigned to one person in smaller organizations or to a team of compliance officers in larger organizations. However, regardless of how many people are assigned to compliance duties, there is always the risk of an implementation specification being overlooked due to human error โ and human errors can be costly if they result in HIPAA violations.
How to Mitigate the Risk of Human Error
One way to mitigate the risk of human error โ and the complexity of complying with HIPAA โ is to implement HIPAA compliance software. HIPAA compliance software contains libraries of policies and procedures that can be filtered to be relevant to each organizationยดs activities. Organizations can then compare their existing policies and procedures against the filtered selection generated by the software to identify where gaps exist in compliance.
Once any gaps have been identified in an organizationยดs compliance efforts, the software guides compliance officers through the process of eliminating the gaps via risk assessments and analyses. The results of the assessments and analyses help compliance officers determine the content of new policies or the best way to develop new procedures. Once the policies and procedures are finalized, the software simplifies version control and document retention.
Further Benefits of HIPAA Compliance Software
In addition to finding and eliminating gaps in an organizationยดs compliance efforts, HIPAA compliance software can be used to conduct self-audits on privacy and security standards, create inventories of assets and devices used to access PHI, track employee training, and assess the organizationยดs preparedness for a data breach so the correct procedures are in place to notify the appropriate individuals and authorities depending on the nature of the breach.
One of the benefits of self-audits is that it enables organizations to identify when poor compliance practices have developed in the workplace. If poor compliance practices are allowed to evolve into a cultural norm of non-compliance, this can lead to an increase in HIPAA violations. Poor compliance practices can be reversed with refresher HIPAA training, provided they are identified at an early stage โ something compliance officers are capable of doing with HIPAA compliance software.
HIPAA Compliant Software
HIPAA compliant software is software that has been designed to support HIPAA compliance when the software is used by a HIPAA covered entity or business associate to create, collect, store, or transmit Protected Health Information. Compliance with HIPAA is then determined by how the software is configured and used.
When vendors advertise software as HIPAA compliant, it is most often the case that the software has been developed with the necessary mechanisms to support HIPAA compliance. These mechanisms usually include access controls, audit logs, and encryption to comply with the Technical Safeguards of the Security Rule. Some software also includes automatic logoff.
However, these capabilities alone do not make software HIPAA compliant. Most often, the capabilities have to be activated or configured to comply with the Technical Safeguards, or the software has to be deployed on a device with other mechanisms in place to be compliant โ as is often the case when โHIPAA compliant softwareโ lacks an automatic logoff option.
Additionally, although software is advertised as HIPAA compliant, it does not guarantee HIPAA violations will not occur โ for example, if login credentials are shared to bypass access controls. This issue is not attributable to the software and is something the end user organization should control. Nonetheless, advertising software as HIPAA compliant can lead to a false sense of security.
5 Tips for Developing & Marketing HIPAA Compliant Software
To counter allegations that software developed and marketed as HIPAA compliant software is not HIPAA compliant, vendors should take the following five tips into account.
1. Understand the Security Rule in its entirety
Some organizations consider the Security Rule to consist only of the Administrative, Physical, and Technical Safeguards. However, these Safeguards only account for around half of the โSecurity Standards for the Protection of Electronic Protected Health Informationโ (45 CFR Part 164, Subpart C), and it is important that software vendors understand the Security Rule in its entirety.
2. Develop software that is simple to configure and use
One of the reasons why software might not be configured and used compliantly is that it is too complicated to understand. Developers and vendors need to be aware that not every end user organization has an IT team with the skills to understand the workings of the software and pass that knowledge onto end users. In this respect, human technical support is essential.
3. Add mechanisms to prevent circumnavigation
In addition to developing software that is simple to configure and use, developers should integrate mechanisms that make it difficult to circumnavigate compliance controls. It is sometimes the case that end users try to take non-compliant short cuts โto get the job doneโ, and develops need to build in capabilities that prevent shortcuts or alert system administrators when they happen.
4. Be alert to proposed HIPAA changes
Although it has been some time since a major update to HIPAA, there are several significant HIPAA changes in the pipeline. For example, the proposed โattestedโ category of uses and disclosures could affect access to some types of PHI, while the proposed changes to allow patients to access PHI by an app of their choice could create compatibility and security challenges for some existing applications.
5. Make it clear compliance is subject to compliant use
HIPAA Covered Entities and Business Associates have multiple rules and regulations to comply with in addition to HIPAA, and not all have the time to investigate every claim made by every software vendor. Software vendors that make it clear their HIPAA compliant software is only compliant when it is configured and used compliantly will mitigate avoidable complaints and negative reviews.
The Importance of Understanding Business Associatesโ Obligations
Vendors of HIPAA compliant software qualify as Business Associates, even if they have no access to PHI created, used, stored, or transmitted by the software (per HHS guidance). Therefore, a vendor that develops and markets HIPAA compliant software must itself comply with the Security and Breach Notification Rules, as well as any Privacy Rule standards included in a Business Associate Agreement between the vendor and the end user organization.
Entering into a Business Associate Agreement is essential, as the end user organization will itself be in violation of HIPAA if it fails to do so. It is also important all security incidents are reported to the end user organization (per ยง164.314) โ including those that do not result in a data breach โ and that any disclosures of PHI to subcontractors (i.e., cloud storage services) are also covered by a Business Associate Agreement.
Since 2013, Business Associates have been directly liable for violations of HIPAA. HHSโ Office for Civil Rights has the authority to impose civil monetary penalties and enforce corrective action plans on non-compliant Business Associates. State Attorneys General and – in some cases – the Federal Trade Commission can also pursue financial penalties for HIPAA violations attributable to non-compliance by Business Associates.
Therefore, it is in a software vendorโs best interests to understand Business Associatesโ compliance obligations and seek professional compliance advice if they are unsure about which obligations apply โ certainly before developing solutions that will be marketed as HIPAA compliant software.