7 min read

How to become HIPAA compliant?

How to become HIPAA compliant?

To comply with HIPAA (Health Insurance Portability and Accountability Act), your business must meet security, privacy, and encryption standards for the protected health information (PHI) used in its entire workflow. In this regard, the companies you hire as vendors, the people you employ whether for administrative or healthcare tasks, the software you use in your daily operations, and the handling of both physical and digital data, must obey HIPAA compliance standards.

Technology helps us manage, protect, and grow our businesses, but it also poses risks to information security, such as phishing, ransomware, and malware.

These attacks are common due to the value of data in the market. For instance, basic data like ID numbers, names, addresses, and phone numbers can be sold for $0.5 to $10, while more complex information like medical history can fetch up to 250 dollars.

Protecting customer privacy and cybersecurity is crucial across all industries, especially healthcare. Therefore, being HIPAA compliant involves keeping up with information protection updates.

If you're wondering how long it takes to become HIPAA compliant, we don't have a concrete answer for you. The timeline depends on how quickly you can develop your business model and workflow. This includes creating policies and protocols, appointing an internal oversight team, designing HIPAA-compliant data management software, and training all individuals in your organization.

Before proceeding, we suggest reading our article "Should I be HIPAA compliant?" so that you can take the self-test and find out if you are subject to these requirements. If you've already done so, continue reading to understand the steps needed to align with HIPAA.

In this article:

What is required to become HIPAA compliant?

Best practices for HIPAA compliance involve, along with a thorough understanding of the law and updates in security, focusing on the following:

  1. Understand your business model and workflow to create policies and protocols for managing, circulating, and storing protected health information. This will help identify potential risks and vulnerabilities in order to design strategies and security measures.

  2. Appoint an internal oversight team. It will be responsible for ensuring compliance and implementing policies, enforcing protocols in case of non-compliance, and keeping them up-to-date.

  3. Keep a record of all individuals and devices with access to PHI. It should classify the level of risk and specify the monitoring policy and action protocols in case of a breach.

  4. Train everyone in the institution on managing PHI. Clearly explain how to handle information and the consequences of leaks.

  5. Only hire HIPAA-compliant companies. Whether it's for short or long-term contracts, regardless of their direct involvement in PHI management (e.g., building maintenance, catering, software development), they must comply with HIPAA and sign business associate agreements (BAA). Review and update these contracts annually.

  6. Conduct risk assessments regularly. The aim is to spot potential threats to electronic or physical PHI security, such as hacks, data theft, or leaks. If needed, update policies, protocols, and security measures, and inform everyone in the organization.

Documenting all processes is also important for HIPAA compliance. This includes privacy and security policies, risk assessment procedures, audits, results, solutions, contingency plans, and staff training sessions.

We often get asked, "Does HIPAA require certification?". However, the US Department of Health and Human Services (HHS) does not issue certificates confirming a company's adherence to the regulation's protocols and requirements.

If you need more information to understand what HIPAA is, we suggest reading this article. Next, we'll delve into what protected health information entails, and then we'll move on to see the requirements that software must meet to align with HIPAA legislation.

What information is considered PHI?

Understanding what qualifies as protected health information is vital for ensuring its proper safeguarding. There are three types of PHI:

  • Individually Identifiable Health Information (IIHI): Any data relating to a patient's past, present or future condition; the provision of healthcare to the patient; or the payment for it; along with any key identifier in the same record set.

  • Personally Identifiable Information (PII): There are 18 key identifiers, including: name, date of birth, email, social security number, phone number, IP address, etc. When data is cross-referenced, these elements can reveal a person's identity.

  • Medical history or treatment information: Anything related to purely medical data. For example: "20 mg of dextroamphetamine", "mental health deterioration due to Alzheimer", "low blood pressure of 105/80".

All of this data in itself is not PHI. It becomes PHI when collected by health plans, clearinghouses, and professionals, for the purpose of providing healthcare services or billing.

What are the requirements for HIPAA-compliant software?

Developing software that adheres to HIPAA regulations requires ensuring that PHI is handled with security, privacy, and encryption measures throughout the entire process of collection, storage, and transmission. It's also essential for the programming team to undergo training in the regulations to ensure compliance with established protocols when working with this data.

While creating HIPAA-compliant applications and websites is a complex task, there are five key requirements that software must meet to comply with HIPAA:

  1. Control access to data. Implement measures such as session expiration, strong passwords, and multi-factor authentication to restrict access to PHI. Additionally, alert users when they are handling sensitive information.

  2. Ensure user reliability and request authorization for the use of PHI. Maintain strong passwords and multi-step authentication while also including checkboxes for patients to consent to how the software collects, uses, and shares information.

  3. Audit activity. Keep a record of PHI handling by requiring users to log in with a username and password. Document failed attempts and record information such as views, uploads, downloads, storage, and transmission of data.

  4. Ensure system integrity. Encrypt all data and PHI end-to-end, whether it's stored or in transit.

  5. Secure information transmission. Guarantee the safe use of PHI and create backups using HIPAA-compliant providers.

Following this HIPAA compliance checklist can guide you through the essential steps and make your journey easier.

Types of HIPAA Non-compliance

In order to understand how to comply with HIPAA, it may be useful to visualize concretely what actions are considered as non-compliance. This way, you can be more alert and mindful of protecting all instances of information circulation:

  1. Data leakage due to lack of security.

  2. Unauthorized access or disclosure of PHI.

  3. Inadequate training for healthcare and administrative staff, or anyone in contact with PHI.

  4. Failure to notify the relevant authorities of any of the above mentioned infringements.

It's important to note that penalties for HIPAA non-compliance can be very costly. Depending on the seriousness of the violation, fines range from 100 to 1.5 million dollars. The Office for Civil Rights (OCR) of the United States is responsible for auditing and determining sanctions based on the severity and degree of negligence.

Examples of HIPAA Non-compliance

To provide a clearer understanding of situations that could violate the HIPAA Law, let's consider an example scenario.

Doctor Ana's secretary resigns, and the medical institution hires a new assistant, Sofia, without assessing her knowledge of data protection.

Ana hands Sofia medical orders that are already signed and stamped because her patients will collect them that day. Sofia leaves them on her desk throughout the day, visible to anyone seeking assistance.

At the end of the day, Ana notices the papers on Sofia's desk, explains why it's incorrect, and leaves for home.

Here, several errors occur. Firstly, the institution fails to ensure Sofia's proper training in HIPAA compliance, leading to subsequent mistakes.

The doctor trusts someone who lacks HIPAA training, granting access to PHI, including patient names, diagnoses, treatments, and social security numbers.

Sofia exposes papers containing protected medical data for extended periods, **potentially accessible to unauthorized individuals who could read, memorize, or even photograph that data. **

Lastly, Ana, upon recognizing Sofia's error, fails to report the potential data breach to the appropriate authorities.

We hope you've taken note of all the recommendations so that your business and digital products comply with HIPAA. If you have any questions, you can write to us at hola@xoor.io; and if you want to receive advice on creating a health application or website that complies with US or Canadian regulations, schedule a meeting here.