How To Become HIPAA Compliant?

Mindbowser hosted a talk on HIPAA compliance in healthcare with Liam Degnan, Senior Account Manager with Compliancy Group. Liam has a long history in risk management and a unique understanding of the world of HIPAA compliance.

Here are the excerpts from the talk that will make it easy for you to understand HIPAA.

You can watch the webinar video here.

What are the steps to become HIPAA compliant?

HIPAA compliance is a matter of ensuring the well-being and security of your data. First is that initial risk analysis which can paint a clearer picture of what threats may be facing your company at any given moment. Conducting such an analysis once every year helps you take a deeper look into the issues specifically related to HIPAA compliance and provides new insight into how you can protect yourself from risks or attacks.

A proper HIPAA audit helps mitigate some risk factors in a specific environment. For example, if the inventory document focuses on serving patients correctly, it would be better for the team first to identify and assess the requirements of healthcare business operations.

Because you’re not treating patients first, there’s a general “it/infrastructure” risk analysis and something called an asset audit about devices that could connect either directly to your cloud service or access directly to your client. This includes everything from hardware to software and anything else connected to the internet. Any device that doesn’t pass HIPAA guidelines could be disastrous, so you want to make sure there isn’t anything in this category before starting up. 

You won’t find any physical infrastructure hosting sensitive patient data because all of your online servers are in the cloud. This makes it necessary to reevaluate your specific AWS or Azure hosting services (per Amazon’s and Microsoft’s recommendations) for compliance with HIPAA standards, such as the requirement for encryption via a virtual private network. It is important to ensure that you’re using their HIPAA-compliant versions of these services so that you can always be in line with government regulations regarding medical records and privacy concerns.

When adding HIPAA-compliant hosting to your office, it is important to upgrade from the regular subscription that most providers offer. A simple upgrade away from vendor-provided hosting is an additional layer of security when uploading sensitive data online instead of using FTP or e-mail. Hosting HIPAA-compliant sites allows for increased flexibility when it comes down to moving a site between two different web hosts if you are unsatisfied with one provider.

One way to figure out your HIPAA compliant needs is by performing a thorough risk analysis first. A risk assessment will allow you to see all the instances where you might lack compliance and how it may affect you. List down those pieces of information you have identified as critical and start with implementing solutions that effectively fill in those holes in your plan of action (related to HIPAA compliance), so it will no longer cause you any problems down the line.

So the ultimate recommendation to everybody is that if you’ve never completed a HIPAA risk analysis before (that’s where you have to begin because that has to be documented annually for the compliance program regardless), it’s probably a good idea to start there – with the HIPAA Risk Analysis. While your business may not be required to develop one, it still makes sense to start here as a core step in creating your company’s HIPAA Compliance Program because this way, you’re going to have an understanding of what exactly needs to be followed when creating your HIPAA Compliance Plan which should then make it easier for you and help minimize any amount of stress or confusion caused by setting up a new policy!

To what extent are the HIPAA privacy/security policies used by HIPAA compliant organizations boilerplate vs customized for the application?

It depends; the perspective of HIPAA policies is more or less going to be set in stone, so are the policies you need to have in place for the compliance program. You need very specific security and privacy policies specific training.

Most policy documents are standardized, so there’s not going to be a ton that needs to be customized there aside from figuring out which policies apply specifically to your business model in light of your internal circumstances. 

It’s the procedure document(s) you’re probably going to have to check with on a case-by-case basis because companies often have their own policies. Policies are meant to offer a set of rules that employees can follow so as not to cause any problems or risk issues when it comes down to implementing company rules and restrictions put in place for the benefit and safety of your corporation and its customers! Of course, depending on where you work and other factors such as local/national laws, these policies may vary from company to company. Unfortunately, some businesses may also face additional limitations due to external regulations.

As the policy describes how you will apply the law within your Company, the procedure can be described as how that policy is implemented. The policy may be considered a boilerplate, but with each procedure, unique differences and intricacies need to be covered once put into practice. The next step involves creating a proper set of procedures for each specific policy to clearly outline what should be done, how each process operation should work, and who should be held accountable by management in case of an error or mistake.

How early should we designate a privacy compliance officer and HIPAA security officer?

As long as there is a compliance officer described in one’s job description for an organization, then anyone in that company can work on making sure a company meets its requirements for being HIPAA (Health Insurance Portability and Accountability Act) compliant.

The bottom line is that the person who works with human relations or oversees the operational side of the business will be best suited to work as your chief privacy officer because they’re going to be managing everything related to people at many levels and be most familiar with company policies and procedures. 

Your security manager should understand all things tech while your development manager should understand how everything is actually put together by looking at it from a high-level perspective. Whoever you have in charge of each area, consider that role being filled by a different person – because whoever you don’t currently have lined up for those roles should fill in elsewhere!

If you outsource development that’s another story, but let’s say you do have somebody who is responsible for handling security matters in your platform. That person could be a great fit for a security or compliance officer because they already know the ropes. It doesn’t matter too much; so long as you have it in their job description.

What would be the minimum viable HIPAA setup required before having a functional platform/being able to approach partners e.g. healthcare practices?

HIPAA compliance is about being proactive. It’s about gathering the right guidelines, forming a plan with action steps, and taking the time to bring your ideas to life in such a way that you not only protect your data but also allow for growth as your business does. Data security isn’t something you should put off – it’s something that should be planned from the get-go because one of your top priorities should always be protecting any and all data that belongs to your company!

The main thing to remember about following guidelines and rules is that you want to always document your progress for those in the auditing position. It’s called Good Faith Effort or GFE. Let’s take a look at the example of HIPAA compliance regulations. You’ll need to assess your company to determine which health data regulations apply to you after determining which risks will be faced. As a result, it’ll be important to implement health data privacy policies that demonstrate responsible care and protection.

Staff training is a very important aspect of business activity. Business associate agreements tend to be some of the most foundational things you need, not just that, but you need to have all of those things implemented and fully functional.

Before your business can be HIPAA compliant or roll out your platform, you need to be able to show that in conjunction with each of those requirements, you have documented a clear, good-faith effort in implementing those requirements. For instance, if risk analysis is one of the requirements, one needs to show that they have done that risk analysis.

That takes time; however, once you’ve implemented those policies, maybe not everything is fully operationalized or in its best state yet, but now you have something to show that you are indeed making some progress and bringing yourself towards that finish line by following the right procedures. You can always continue to amend those policies as long as you keep your documentation updated every step of the way so that it becomes clearer to meet the company’s expectations moving forward. Documenting these procedures will allow you to be sure that you’re doing things right year after year. If anything changes along the way, there will still be a record of what was done before for reference and all the tasks needed for someone else to complete it successfully.

What processes are required to enable health data visibility for health insurers (e.g. connecting them to an EHR, biometric output data, telemedicine data) in a HIPAA compliant manner?

HIPAA compliance ensures that patient health data does not become visible to the public, posing a threat to their safety and well-being. When you need to integrate with EMR or EHR software, HIPAA can manage the security concerns of sharing sensitive information with healthcare providers, insurance companies, consumers, or other third-party apps, etc.

HIPAA doesn’t have very specific security requirements. There won’t be a requirement to implement strong encryption or backup policies; no specific certification will be necessary to follow the law. Suppose there are particular technical security requirements in place at some point. In that case, those rules might end up being enacted at the discretion of a covered entity or business associate involved in the oversight of data covered under HIPAA.

We believe that it will vary and that you should determine this for yourself as there are many unique circumstances. The process for deciding whether you’ve done enough is up to you and depends on your business area, but generally, most businesses will want to be able to prove an area of risk was addressed and that they did what they could. Therefore, the easiest way for the majority of businesses would be to simply ensure data in their platform is encrypted. The easiest way often is by making sure any third-party hosting provider your business uses adheres to HIPAA (Health Information Portability and Accountability Act) guidelines. You may also wish to sign a Business Associate Agreement and meet additional security requirements as well. In this situation, as per HIPAA, responsibility ends once the information leaves their hands provided this has been appropriately handled via BAA beforehand.

To what extent do the HIPAA security safeguards differ from those of a typical corporation where there are already premise access restrictions and data encryptions/secure emails?

HIPAA compliance is vital to have because this policy is required by law, but it’s important to realize that only having a general HIPAA policy will not suffice. If your company were to undergo an audit or suffer a breach, you could find yourself having to address various issues beyond the scope of your current HIPAA policies.

HIPAA is just a convenient acronym that encompasses all of the requirements – or laws – set forth by various federal and state governments related to keeping private health-related information protected, which of course, includes a lot of medical data.

A general security policy could be a great place to start when trying to become HIPAA compliant. However, if you’re going to be following any regulation, you might go straight to HIPAA compliance because otherwise, the path to get there can be more complicated.

We work with many start-ups and a way to ensure that your code follows the best possible format is through simply using document managers. It’s very easy to get started and when you do things properly at first, down the road when you’re a more established company and want to update your practices, for example, documenting may be simpler for you!

If you’re building a product, it’s always good to start with a framework and use that as the foundation of your strategy. And then, if you have no idea what customers want or need, close your eyes and try to imagine what they would want.

What are the steps of arranging a business associate agreement – what would be needed in instances where the BA is not originally HIPAA compliant?

The business associate agreement is a standardized legal document to ensure that policies are consistent across different companies. Look at the standard business associate agreement, and compare it to the one a vendor is asking you to sign if you find significant discrepancies there might be an issue. The majority of big companies are going to be fine with Google, Microsoft, AWS.

Business associates (BA) agreements can be a good way to protect you and your business from any liability that arises when working with another party. There are some cons to also taking on a BAA. However, it’s always a good idea to reverse-check any BA agreement for any potential issues and bring in legal advice before signing on the dotted line.

Companies should be aware that more than just signing a BA contract, it is needed to ensure the reliability of vendors selected for the business. Not doing so may result in security vulnerabilities, particularly regarding the confidentiality and availability of protected health information (PHI). Therefore, an organization should conduct a minimal risk assessment on potential vendors when determining their eligibility as BA.

Working with an external party is a great way to bolster your organization’s security. The best way to ensure the protection of data from potential threats, both internal and external, is by requesting that vendors disclose their respective practices for safeguarding sensitive information. For example: if you’re working with a vendor such as Amazon Web Services or Azure – it would be reasonable for you to expect that they practice due diligence regarding information security.

Some HIPAA requirements are guidelines that can supersede federal mandates, for example, having an IT security system put in place by a certified company. Therefore, if you know this type of certification is in place, it can help you feel confident that you don’t need to worry about the other due diligence.

We hope the above questions help clarify HIPAA regulations on data security. Feel free to contact us for more information about HIPAA and how it relates to your business. You can watch the webinar on our website here.

Achieving Healthcare Interoperability Through HL7 Standards

Content Team

This blog is from Mindbowser‘s content team – a group of individuals coming together to create pieces that you may like. If you have feedback, please drop us a message on contact@mindbowser.com

Get in touch for a detailed discussion.

Hear From Our 100+ Customers
coma

Mindbowser helped us build an awesome iOS app to bring balance to people’s lives.

author
ADDIE WOOTTEN
CEO, SMILINGMIND
coma

We had very close go live timeline and MindBowser team got us live a month before.

author
Shaz Khan
CEO, BuyNow WorldWide
coma

They were a very responsive team! Extremely easy to communicate and work with!

author
Kristen M.
Founder & CEO, TotTech
coma

We’ve had very little-to-no hiccups at all—it’s been a really pleasurable experience.

author
Chacko Thomas
Co-Founder, TEAM8s
coma

Mindbowser is one of the reasons that our app is successful. These guys have been a great team.

author
Dave Dubier
Founder & CEO, MangoMirror
coma

Mindbowser was very helpful with explaining the development process and started quickly on the project.

author
Hieu Le
Executive Director of Product Development, Innovation Lab
coma

The greatest benefit we got from Mindbowser is the expertise. Their team has developed apps in all different industries with all types of social proofs.

author
Alex Gobel
Co-Founder, Vesica
coma

Mindbowser is professional, efficient and thorough. 

author
MacKenzie R
Consultant at XPRIZE
coma

Very committed, they create beautiful apps and are very benevolent. They have brilliant Ideas.

author
Laurie Mastrogiani
Founder, S.T.A.R.S of Wellness
coma

MindBowser was great; they listened to us a lot and helped us hone in on the actual idea of the app.” “They had put together fantastic wireframes for us.

author
Bennet Gillogly
Co-Founder, Flat Earth
coma

They're very tech-savvy, yet humble.

author
Uma Nidmarty
CEO, GS Advisorate, Inc.
coma

Ayush was responsive and paired me with the best team member possible, to complete my complex vision and project. Could not be happier.

author
Katie Taylor
Founder, Child Life On Call
coma

As a founder of a budding start-up, it has been a great experience working with Mindbower Inc under Ayush's leadership for our online digital platform design and development activity.

author
Radhika Kotwal
Founder of Courtyardly
coma

The team from Mindbowser stayed on task, asked the right questions, and completed the required tasks in a timely fashion! Strong work team!

author
Michael Wright
Chief Executive Officer, SDOH2Health LLC
coma

They are focused, patient and; they are innovative. Please give them a shot if you are looking for someone to partner with, you can go along with Mindbowser.

author
David Cain
CEO, thirty2give
coma

We are a small non-profit on a budget and they were able to deliver their work at our prescribed budgets. Their team always met their objectives and I'm very happy with the end result. Thank you, Mindbowser team!!

author
Bart Mendel
Founder, Mindworks