How to Become HIPAA Compliant?

Mindbowser hosted a talk on HIPAA compliance in healthcare with Liam Degnan, Senior Account Manager with Compliancy Group. Liam has a long history in risk management and a unique understanding of the world of HIPAA compliance.

Here are the excerpts from the talk that will make it easy for you to understand HIPAA.

You can watch the below webinar video.

What are the Steps to Become HIPAA Compliant?

HIPAA compliance is a matter of ensuring the well-being and security of your data. First is that initial risk analysis which can paint a clearer picture of what threats may be facing your company at any given moment. Conducting such an analysis once every year helps you take a deeper look into the issues specifically related to HIPAA compliance and provides new insight into how you can protect yourself from risks or attacks.

A proper HIPAA audit helps mitigate some risk factors in a specific environment. For example, if the inventory document focuses on serving patients correctly, it would be better for the team first to identify and assess the requirements of healthcare business operations.

You can watch the below video of HIPAA compliance in healthcare

Because you’re not treating patients first, there’s a general “it/infrastructure” risk analysis and something called an asset audit about devices that could connect either directly to your cloud service or access directly to your client. This includes everything from hardware to software and anything else connected to the internet. Any device that doesn’t pass HIPAA guidelines could be disastrous, so you want to make sure there isn’t anything in this category before starting up. 

You won’t find any physical infrastructure hosting sensitive patient data because all of your online servers are in the cloud. This makes it necessary to reevaluate your specific AWS or Azure hosting services (per Amazon’s and Microsoft’s recommendations) for compliance with HIPAA standards, such as the requirement for encryption via a virtual private network. It is important to ensure that you’re using HIPAA-compliant versions of these AWS services so that you can always be in line with government regulations regarding medical records and privacy concerns.

When adding HIPAA-compliant hosting to your office, it is important to upgrade from the regular subscription that most providers offer. A simple upgrade away from vendor-provided hosting is an additional layer of security when uploading sensitive data online instead of using FTP or e-mail. Hosting HIPAA-compliant sites allows for increased flexibility when it comes down to moving a site between two different web hosts if you are unsatisfied with one provider.

One way to figure out your HIPAA compliant needs is by performing a thorough risk analysis first. A risk assessment will allow you to see all the instances where you might lack compliance and how it may affect you. List down those pieces of information you have identified as critical and start with implementing solutions that effectively fill in those holes in your plan of action (related to HIPAA compliance), so it will no longer cause you any problems down the line.

So the ultimate recommendation to everybody is that if you’ve never completed a HIPAA risk analysis before (that’s where you have to begin because that has to be documented annually for the compliance program regardless), it’s probably a good idea to start there – with the HIPAA Risk Analysis.

While your business may not be required to develop one, it still makes sense to start here as a core step in creating your company’s HIPAA Compliance Program because this way, you’re going to have an understanding of what exactly needs to be followed when creating your HIPAA Compliance Plan which should then make it easier for you and help minimize any amount of stress or confusion caused by setting up a new policy!

🔹To What Extent are the HIPAA Privacy/Security Policies Used by HIPAA Compliant Organizations Boilerplate vs Customized for the Application?

It depends; the perspective of HIPAA policies is more or less going to be set in stone, so are the policies you need to have in place for the compliance program. You need very specific security and privacy policies specific training.

Most policy documents are standardized, so there’s not going to be a ton that needs to be customized there aside from figuring out which policies apply specifically to your business model in light of your internal circumstances. 

It’s the procedure document(s) you’re probably going to have to check with on a case-by-case basis because companies often have their own policies. Policies are meant to offer a set of rules that employees can follow so as not to cause any problems or risk issues when it comes down to implementing company rules and restrictions put in place for the benefit and safety of your corporation and its customers!

Of course, depending on where you work and other factors such as local/national laws, these policies may vary from company to company. Unfortunately, some businesses may also face additional limitations due to external regulations.

As the policy describes how you will apply the law within your company, the procedure can be described as how that policy is implemented. The policy may be considered a boilerplate, but with each procedure, unique differences and intricacies need to be covered once put into practice.

The next step involves creating a proper set of procedures for each specific policy to clearly outline what should be done, how each process operation should work, and who should be held accountable by management in case of an error or mistake.

🔹 How Early Should we Designate a Privacy Compliance Officer and HIPAA Security Officer?

As long as there is a compliance officer described in one’s job description for an organization, then anyone in that company can work on making sure a company meets its requirements for being HIPAA (Health Insurance Portability and Accountability Act) compliant.

The bottom line is that the person who works with human relations or oversees the operational side of the business will be best suited to work as your chief privacy officer because they’re going to be managing everything related to people at many levels and be most familiar with company policies and procedures. 

Your security manager should understand all things tech, while your development manager should understand how everything is actually put together by looking at it from a high-level perspective. Whoever you have in charge of each area, consider that role being filled by a different person, because whoever you don’t currently have lined up for those roles should fill in elsewhere!

If you outsource development that’s another story, but let’s say you do have somebody responsible for handling security matters in your platform. That person could be a great fit for a security or compliance officer because they already know the ropes. It doesn’t matter too much; so long as you have it in their job description.

🔹 What Would be the Minimum Viable HIPAA Setup Required Before having a Functional Platform/Being Able to Approach Partners e.g. Healthcare Practices?

HIPAA compliance is about being proactive. It’s about gathering the right guidelines, forming a plan with action steps, and taking the time to bring your ideas to life in such a way that you not only protect your data but also allow for growth as your business does. Data security isn’t something you should put off – it’s something that should be planned from the get-go because one of your top priorities should always be protecting any and all data that belongs to your company!

The main thing to remember about following guidelines and rules is that you want to always document your progress for those in the auditing position. It’s called Good Faith Effort or GFE.

Let’s take a look at the example of HIPAA compliance regulations. You’ll need to assess your company to determine which health data regulations apply to you after determining which risks will be faced. As a result, it’ll be important to implement health data privacy policies that demonstrate responsible care and protection.

Staff training is a very important aspect of business activity. Business associate agreements tend to be some of the most foundational things you need, not just that, but you need to have all of those things implemented and fully functional.

Before your business can be HIPAA compliant or roll out your platform, you need to be able to show that in conjunction with each of those requirements, you have documented a clear, good-faith effort in implementing those requirements. For instance, if risk analysis is one of the requirements, one needs to show that they have done that risk analysis.

That takes time; however, once you’ve implemented those policies, maybe not everything is fully operationalized or in its best state yet, but now you have something to show that you are indeed making some progress and bringing yourself towards that finish line by following the right procedures.

You can always continue to amend those policies as long as you keep your documentation updated every step of the way so that it becomes clearer to meet the company’s expectations moving forward. Documenting these procedures will allow you to be sure that you’re doing things right year after year.

If anything changes along the way, there will still be a record of what was done before for reference and all the tasks needed for someone else to complete it successfully.

🔹 What Processes are Required to Enable Health Data Visibility for Health Insurers (e.g. Connecting them to an EHR, Biometric Output Data, Telemedicine Data) in a HIPAA Compliant Manner?

HIPAA compliance ensures that patient health data does not become visible to the public, posing a threat to their safety and well-being. When you need to integrate with EMR or EHR software, HIPAA can manage the security concerns of sharing sensitive information with healthcare providers, insurance companies, consumers, or other third-party apps, etc.

HIPAA doesn’t have very specific security requirements. There won’t be a requirement to implement strong encryption or backup policies; no specific certification will be necessary to follow the law. Suppose there are particular technical security requirements in place at some point.

In that case, those rules might end up being enacted at the discretion of a covered entity or business associate involved in the oversight of data covered under HIPAA.

We believe that it will vary and that you should determine this for yourself as there are many unique circumstances. The process for deciding whether you’ve done enough is up to you and depends on your business area, but generally, most businesses will want to be able to prove an area of risk was addressed and that they did what they could.

Therefore, the easiest way for the majority of businesses would be to simply ensure data in their platform is encrypted. The easiest way often is by making sure any third-party hosting provider your business uses adheres to HIPAA (Health Information Portability and Accountability Act) guidelines.

You may also wish to sign a HIPAA Business Associate Agreement and meet additional security requirements as well. In this situation, as per HIPAA, responsibility ends once the information leaves their hands provided this has been appropriately handled via BAA beforehand.

🔹 To What Extent do the HIPAA Security Safeguards Differ from Those of a Typical Corporation where there are Already Premise Access Restrictions and Data Encryptions/Secure Emails?

HIPAA compliance is vital to have because this policy is required by law, but it’s important to realize that only having a general HIPAA policy will not suffice. If your company were to undergo an audit or suffer a breach, you could find yourself having to address various issues beyond the scope of your current HIPAA policies.

HIPAA is just a convenient acronym that encompasses all of the requirements – or laws – set forth by various federal and state governments related to keeping private health-related information protected, which of course, includes a lot of medical data.

A general security policy could be a great place to start when trying to become HIPAA compliant. However, if you’re going to be following any regulation, you might go straight to HIPAA compliance because otherwise, the path to get there can be more complicated.

We work with many start-ups and a way to ensure that your code follows the best possible format is through simply using document managers. It’s very easy to get started and when you do things properly at first, down the road when you’re a more established company and want to update your practices, for example, documenting may be simpler for you!

If you’re building a product, it’s always good to start with a framework and use that as the foundation of your strategy. And then, if you have no idea what customers want or need, close your eyes and try to imagine what they would want.

Achieving Healthcare Interoperability through HL7 Standards

🔹 What are the Steps of Arranging a Business Associate Agreement – What would be Needed in Instances Where the BA is Not Originally HIPAA Compliant?

The business associate agreement is a standardized legal document to ensure that policies are consistent across different companies. Look at the standard business associate agreement, and compare it to the one a vendor is asking you to sign if you find significant discrepancies there might be an issue. The majority of big companies are going to be fine with Google, Microsoft, AWS.

Business associates (BA) agreements can be a good way to protect you and your business from any liability that arises when working with another party. There are some cons to also taking on a BAA. However, it’s always a good idea to reverse-check any BA agreement for any potential issues and bring in legal advice before signing on the dotted line.

Companies should be aware that more than just signing a BA contract, it is needed to ensure the reliability of vendors selected for the business. Not doing so may result in security vulnerabilities, particularly regarding the confidentiality and availability of protected health information (PHI). Therefore, an organization should conduct a minimal risk assessment on potential vendors when determining their eligibility as BA.

Working with an external party is a great way to bolster your organization’s security. The best way to ensure the protection of data from potential threats, both internal and external, is by requesting that vendors disclose their respective practices for safeguarding sensitive information. For example: if you’re working with a vendor such as Amazon Web Services or Azure – it would be reasonable for you to expect that they practice due diligence regarding information security.

Some HIPAA requirements are guidelines that can supersede federal mandates, for example, having an IT security system put in place by a certified company. Therefore, if you know this type of certification is in place, it can help you feel confident that you don’t need to worry about the other due diligence.

We hope the above questions help clarify HIPAA regulations on data security. Feel free to contact us for more information about HIPAA and how it relates to your business. You can watch the webinar on our website here.

Content Team

This blog is from Mindbowser‘s content team – a group of individuals coming together to create pieces that you may like. If you have feedback, please drop us a message on contact@mindbowser.com

Keep Reading

Keep Reading

Struggling with EHR integration? Learn about next-gen solutions in our upcoming webinar on Mar 6, at 11 AM EST.

Register Now

Let's create something together!