4 min read
In order to be HIPAA compliant it is necessary that your whole business chain, including service providers, adhere to the security requirements established by the U.S. Health Insurance Portability and Accountability Act.
What does "HIPAA compliant" mean? It means conforming to the U.S. federal regulations that require companies handling medical data to protect that information through rigorous physical and digital security protocols.
In the article “Should I be HIPAA compliant?” we explain the legislation’s scope in detail and offer a simplified version of the official test from the United States Federal Trade Commission, so that you can quickly check whether your business needs to adhere to this certification or not.
Below, we outline all the reasons why you should hire providers with knowledge of the HIPAA Law, and we specify which industries need to align with these regulations.
In this article:
If you are involved in the healthtech industry, according to HIPAA regulations it is not enough to safeguard individuals’ information throughout your business workflow. You also need to make sure that business partners and companies supplying you with materials, technology and services are also compliant. This way, you ensure that there are no data breaches and that medical information (PHI) remains secure.
For instance, laboratories providing analysis reports, life insurance or workers' compensation companies, billing service providers, catering companies for executive events, and even cleaning services, are all required to comply with the regulation.
Similarly, a software factory responsible for building a web application from scratch, intended for individuals performing clinical analysis to upload reports and for healthcare professionals to get patient diagnoses, needs to adhere to HIPAA regulations. Even software service providers that only develop a functionality for an existing digital product must comply with these requirements, as they interact with protected medical information (PHI) and must develop systems for secure access and transfer.
Otherwise, those using these systems would be in violation of the U.S. federal law, HIPAA.
The supplier companies of entities that provide healthcare services and must comply with the security protocols indicated in the federal HIPAA regulations are the business associates. These are entities that offer services to companies operating with medical information, such as:
Technology infrastructure providers
Communication and messaging companies
Moreover, organizations actively working with PHI are referred to as covered entities. This category includes medical professionals and their practices, hospitals, pharmacies, insurance companies, and healthcare maintenance organizations.
Organizations that implement the security and encryption procedures outlined in the law must undergo an audit. If everything is correctly applied, they can ensure compliance with HIPAA.
Failure to comply with the regulations or even violating them due to information breaches or unforeseen circumstances can lead to fines of up to 1.5 million dollars. Non-compliance includes failure to report a HIPAA violation, unauthorized access to patient information, improper disposal of PHI, loss of devices, malware installation -even accidental-, and lack of security measures.
The regulations impose four aspects on covered entities. Here's the HIPAA compliance checklist:
Maintain backups to ensure PHI is always protected.
Restrict the use of PHI to necessary individuals only.
Establish contracts with business associates and partners to guarantee PHI security.
Implement policies and procedures that limit the access to PHI and train employees and users about data security and confidentiality best practices.
If you want to delve into the details of the U.S. federal law, the Health Insurance Portability and Accountability Act, click here.