8 min read
The Health Insurance Portability and Accountability Act, which was modified in 2013, establishes guidelines that must be followed by companies in the healthtech industry and affiliated businesses that provide any type of service, whether technological, technical, or of any kind.
In this article, we provide you with all the necessary details to understand the U.S. federal law, HIPAA. We will explain what it is, how compliance with the regulations works, and which entities are responsible for administration, enforcement, and defining penalties.
Additionally, we will clarify who must adhere to these regulations and offer some insights to help you determine if your business needs to align with U.S. legislation.
In this article:
What is HIPAA? How to comply with HIPAA? Who enforces HIPAA? Who needs to comply with HIPAA? Why do you need HIPAA compliant service providers? What is the importance of vendor oversight? How to choose a HIPAA compliant service provider? Examples of software service provider companies that need to be HIPAA compliant
HIPAA stands for Health Insurance Portability and Accountability Act, a U.S. law enacted in 1996 that aims to safeguard medical information, referred to as Protected Health Information or PHI, through a set of physical and digital security requirements.
PHI includes all data related to a person's past or future physical or mental health condition, payment for healthcare, or information that can identify an individual. This applies in any format or medium that healthcare providers, medical plans, employers, or healthcare processing centers create or receive.
To comply with the regulation, you need to ensure that the collection, storage, and transmission of information are handled properly. For instance, if your products or services deal with health data that can identify individuals, such as symptoms or diagnoses, you must guarantee secure delivery to the server.
The collected documentation is stored on your own servers or third-party ones, and in both cases, it must be backed up according to HIPAA standards. Additionally, regular maintenance and technological updates must be implemented.
Transmission of data, whether from devices to servers, between servers, or from servers to devices, via email, platforms, forms, or any other digital transfer, must be secure and encrypted.
The U.S. Department of Health and Human Services (HHS) is responsible for enforcing the privacy and security rules outlined in the Health Insurance Portability and Accountability Act.
The HHS is also in charge of reporting breaches and determining penalties, which can reach up to 1.5 million dollars.
In certain circumstances, the Department of Justice (DOJ) can impose criminal penalties. It intervenes in case of claims or reports of non-compliance, conducting researches and audits to determine whether penalties are warranted.
Healthcare professionals, hospitals, pharmacies, health maintenance organizations (HMOs), and insurance companies must comply with HIPAA. Additionally, any company that handles, stores, or transmits PHI data at any point in its workflow and is classified as a "business associate" needs to comply. This includes transcription and medical data entry services, software companies providing online health records for medical purposes, and companies processing, analyzing, and generating medical reports.
If you want to read more about the scope of the HIPAA Law in detail, you can find further information here, along with a test to determine whether your business needs to comply with this legislation.
You need HIPAA compliant service providers because it's a requirement of the regulation. In addition to protecting the PHI you create and/or manage, you must ensure that your suppliers of resources, technology, and services meet the same security requirements.
A software factory that develops a health app from scratch or adds functionality to an existing website and needs to manage protected medical information must adhere to HIPAA guidelines. This applies not only to companies directly involved in healthcare but also to those providing communication and organizational services.
If you want to delve deeper into the importance of working with a service provider that aligns with the Health Insurance Portability and Accountability Act, you can find more information here.
In addition to hiring HIPAA compliant service vendors, continuous monitoring of their compliance is crucial. This is because a violation on their part, according to U.S. law, also implicates the entity that hired them.
Many breaches of the regulation occur not due to information leaks but due to lack of awareness about updates. Technology evolves, leading to optimization of privacy and security protocols. Failure to stay abreast of market transformations can result in non-compliance with the law.
Such violations can directly impact your business in legal and financial terms, as fines can reach up to 1.5 million dollars.
To avoid risks of HIPAA non-compliance stemming from breaches by business associates, we've compiled recommendations for selecting a service provider and maintaining a long-term agreement:
Carry out an exhaustive research of vendors: before making a decision, it's crucial to gather information about their security measures and data encryption to verify compliance with HIPAA.
Conduct periodic regulations and audits: they are good practices for keeping systems updated and preventing unauthorized access or data leaks.
Enforce the signing of legal agreements: implementing Business Associate Agreements (BAAs) with vendors is a legal requirement and a vital step in defining responsibilities and expectations.
When selecting software tools for organizing tasks, information, and internal and external communications, informed choices are crucial for healthtech companies. Here's a list of well-known tools in the market and their HIPAA compliance status:
FaceTime: although it enables encrypted end-to-end audio and video calls for private communication, Apple doesn't guarantee adherence to HIPAA guidelines or sign a Business Associate Agreement (BAA). It can be used for non-clinical communications that don't involve Protected Health Information.
Google Meet: it's HIPAA compatible. Google offers a Business Associate Agreement (BAA) option for those handling Protected Health Information, making it suitable for virtual health consultations, follow-up appointments, and sharing screens for medical study analysis.
Zoom: it offers a Business Associate Agreement (BAA) to comply with U.S. regulations, ensuring a secure environment for managing and sharing clinical data.
Microsoft Teams: it's HIPAA compliant, featuring strong security measures such as data encryption in transit and at rest, multifactor authentication, and advanced threat protection. This enables collaboration and coordination among medical professionals, sharing vital patient records, real-time communication, and treatment planning.
WhatsApp: although it employs rigorous message encryption protocols, it does not provide the option to sign a BAA, making it non-HIPAA compliant. So it is only suitable for organizational communication like appointment scheduling or brief inquiries.
Calendly: while it uses secure HTTPS connections, data encryption, and compliance measures like GDPR, it isn't HIPAA compliant and doesn't offer BAA signing. It's useful for non-sensitive communication and scheduling appointments.
Amazon Web Services (AWS): AWS is willing to sign a BAA and follows HIPAA guidelines through data encryption in transit and at rest, dedicated security hardware, and comprehensive logging and auditing capabilities. This makes it possible to manage large data sets, deploy applications and analyze them. In addition, its machine learning tools can support predictive analytics without handling PHI directly.
Dropbox: it features data encryption both at rest and in transit, two-factor authentication and activity logs to ensure the protection of sensitive data. It complies with HIPAA requirements and is available for signing the BAA.
Google Drive: it employs strong security measures such as data encryption in transit and at rest, access controls, and audit logs, along with BAA signing. It's HIPAA compliant.
OneDrive: OneDrive can be used in a way that adheres to HIPAA requirements for PHI protection. It serves as storage and sharing for secure patient medical records, images, plans, and analysis results.
iCloud: it doesn't comply with HIPAA regulations and, therefore, is not suitable for storing or transmitting PHI. If used in medical settings, it's recommended to exercise caution to avoid violating the law.
Mailchimp: according to HIPAA, Mailchimp isn't considered a business associate that safeguards data, making it unsuitable for use as a provider. However, it's a very useful tool for communication and marketing tasks that don't involve the use of confidential data.
Gmail: it can be configured to comply with HIPAA, and Google offers the option to sign a Business Associate Agreement (BAA), making it a good choice for exchanging information and PHI messages.
Asana: it doesn't align with the requirements of the HIPAA law, so it can be used for organizing tasks and projects that don't involve sensitive or private information.
If you found this article helpful, share it with your team to keep them informed about the importance of handling medical information correctly. We also recommend reading more about HIPAA on our blog.