HIPAA is one of the more exacting and difficult legal requirements to meet for new organizations, but necessary for any that will touch protected health information (PHI) in any way. The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 because it was recognized that with the advent of new technologies to make access to personal health care information more readily available to doctors and patients, there was an equal responsibility to limit access and protect the privacy of the individual.
Cloud technologies mean that information can potentially be accessed from anywhere in the world, while doctors routinely send your X-rays and MRIs to other physicians across the country for consultations. Your prescriptions are stored in national databases for retrieval by pharmacists across the country so that you can not only obtain your prescriptions while traveling but also prevent pharmacists and doctors from prescribing conflicting medications. This convenience comes at a cost, putting your protected healthcare information at greater risk. HIPAA ensures that this risk is minimized by mandating specific processes regarding to handling PHI and levying hefty fines for those mishandling it.
It is not just doctors and pharmacists that HIPAA applies to, however. It applies to any organization that accesses or processes protected health information in any way, even if it simply passes through on its way somewhere else. This is because a breach can occur at any point in the chain of custody, and thus the protections put in place must be present throughout.
It should also be noted that HIPAA also covers the right of the patient to access their health information in a timely fashion and that situations, where data is lost or inaccessible for an excessive period, can result in fines just as easily as a breach of confidentiality. While limited fees can be charged for information to be sent in certain formats, the information cannot be withheld because a bill has not been paid.
If there is any doubt as to whether you are required to meet HIPAA requirements, it is best to ensure that your staff is fully aware and trained to meet HIPAA guidelines. If you know you fall under the Covered Entity or Business Associate category, it is safer to seek out and engage other HIPAA-compliant companies, including software vendors that are HIPAA compliant and have experience dealing with such requirements, such as Flatirons Development.
This is because OCR (the Office of Civil Rights) aggressively pursues any violations of HIPAA regulations, and fines can be exorbitant. The largest fine paid in 2021 was 5.1 million dollars. Organizations are likely much more careful in recent years, as total fines levied in 2016, 2017, and 2018 each exceeded 20 million in fines with several multi-million-dollar settlements. A record 16-million-dollar settlement was recorded in 2018. As you can see, HIPAA can take a hefty chunk from nearly anyone’s bottom line. Not to mention the stigma attached to being associated with a breach.
When considering a vendor, developer, or other business arrangements for a business requiring HIPAA compliance, be very careful when considering offshore (out of the country) business associates. This is because it is well-known that due to international legal difficulties, OCR does not tend to pursue offshore organizations, meaning that the costs associated with a HIPAA violation could fall squarely on your organization’s shoulders, even if the breach or violation occurred with the offshore associate. The costs of a violation may still be shared if a business associate violation occurs onshore, but shared is far better than the fine falling only on your organization. This can be the difference between surviving a breach or violation and folding under it. When you hire a HIPAA-compliant vendor that is headquartered onshore, they share responsibility for certain breaches with you depending upon their activity. These vendors are called Business Associates and they are contracted through a Business Associate Agreement. When working with nearshore developers that are subject to HIPAA, we recommend utilizing a company like Flatirons Development, whose headquarters are in the United States.
Not every vendor or organization needs to be HIPAA compliant, obviously. However, becoming HIPAA compliant can open new business opportunities. On the flip-side, it also opens your organization up to new risks, ones that could potentially sink a smaller business venture. The first question to ask yourself with regard to your organization is: Do you need to be HIPAA compliant to perform your business activities?
Companies that need to be directly HIPAA compliant are called Covered Entities and include:
Chances are, if you fall under one of these categories, you are well aware of HIPAA regulations. However, HIPAA compliance also covers Business Associates, and this is where it can get tricky. An organization selling cleaning supplies to a covered entity will likely not need to be HIPAA compliant, as they do not touch any system in which PHI is stored. However, a janitorial service might, because they would have physical access to the building and potentially sensitive areas where information might be stored.
Here you can check the types of Business Associates in Software Development.
These Business Associates must also have contracts in place with their subcontractors. This is where many organizations touch upon HIPAA requirements. For software companies in particular, even if not directly involved with PHI, if any portion of it is passed through your service or application, or perhaps you access (even if only occasionally) a protected system to verify eligibility for a service or product, HIPAA regulations will apply to you. Sometimes, processes can be put into place to eliminate the HIPAA requirements for your organization – for example, let’s say you have an application that delivers SMS notifications of appointments to clients/patients. If you never directly access PHI, and the doctor’s office has systems in place so that only the date and time of the patient and the clinic name are passed along, your SMS service might not need to be covered by such a contract. The patient’s name is not accessible, the doctor’s name is not provided so the reason for the consultation cannot be surmised, and there is no payment or other information that can be gleaned from the SMS message. Essentially, no PHI is processed. There are numerous organizations that are not required to be HIPAA compliant.
The information protected by HIPAA includes:
Most other health information about you is held by those who must follow these laws.
If you have reason to believe any of the above-protected health information could reasonably pass through your organization, you should immediately look to become HIPAA compliant, as well as require any contractors you do business with, including any software developers that might be designing an application for you. Flatirons Development is a HIPAA-compliant vendor. Our experienced team is ready and waiting to help you by ensuring HIPAA compliance when creating your application.
Flatirons helps healthcare organizations create compliant and tailored software solutions.Learn more