Often I hear the term “HIPAA Compliant” being used in healthcare and the related IT sector. The term normally refers to a product, service or software that somehow is using, accessing, storing or transmitting protected health information (PHI). This term has become an unofficial seal of approval.
As far as I can tell, the government does not prohibit using the term, nor does it regulate how the term is used. I am not saying that the product, service or software claiming to be HIPAA compliant is not. But in order to truly make that claim, an organization or business must follow all the requirements in the Code of Federal Regulation (CFR) pertaining to HIPAA compliance.
So who has to be HIPAA compliant, or as I prefer to say, who is required to follow all the HIPAA regulations? The CFR clearly defines two categories of individuals, organizations, agencies and businesses that must comply with HIPAA requirements. Those are Covered Entities (CE) and Business Associates (BA).
A CE is any provider of medical, dentistry or other healthcare services or supplies that transmits any health information in electronic form in connection with a transaction for which the U.S. Department of Health and Human Services (HHS) has adopted a standard. If you transmit any patient health information electronically, even just within a practice, then you are a CE. If you file any insurance claims electronically, you are a CE. CE's also include health plans and healthcare clearinghouses that perform electronic healthcare billing functions. A BA is, with certain exceptions, a person or entity that creates, receives, maintains or transmits PHI for a function or activity for a CE.
HIPAA compliance is about taking identifiable and documented steps to mitigate the risk to protected health information. If your healthcare practice or business in audited by HHS, you must be able to produce documentation indicating you are adhering to the implementation specifications of HIPAA. There are over 50 specifications that are required or addressable in the regulation.
Following HIPAA regulations means you are conducting an annual risk assessment to determine any vulnerabilities and threats to the PHI you maintain. A HIPAA Risk Assessment must produce a gap analysis which determines the risk level for all the administrative, technical and physical safeguards that must be in place, along with the proper remediation if necessary.
You must generate a HIPAA Risk Management Plan. Think of the plan as your overall policies and procedures manual. Regardless of the size of your practice or business, a plan needs to be in place as a way to address all the implementation specifications. The plan should be available to all members of the workforce and used to assist with how to properly follow and implement compliance requirements.
You must also provide the workforce annual HIPAA Security Awareness Training. This training is just not for those who need access to PHI, but for the entire workforce. A good training program should cover the HIPAA Security and Privacy Rules. A training program is required to address security reminders; protection for malicious software; log-in monitoring; and password management.
Remember, if you are a Covered Entity or Business Associate, you are required to follow all the regulations. My advice is to be cautious when saying you are “HIPAA Compliant.” Make sure you are prepared to back that statement.