Despite many healthcare providers continuing to rely on outdated data collection methods, the integration of technology into healthcare is slowly deepening.
In whatever ways healthcare providers use digital technologies in their practice, they must understand to what extent HIPAA governs data and how they can ensure compliance.
Does Software Need to Be HIPAA Compliant?
Yes, in the vast majority of cases.
HIPAA covers all healthcare data collected or stored by those working in the healthcare space, including hospitals, pharmacies and doctors' offices, says Jodi Daniel, a partner in Crowell & Moring’s Health Care Group. However, HIPAA doesn’t apply to purely consumer-facing technology, such as a FitBit or an Apple Watch. Whether an app needs to be HIPAA-compliant will depend on its functionality and purpose, explains the team at HIPAA Journal. If the app only collects personal data about an individual for the exclusive use of that individual, then the app is not subject to HIPAA rules.
What matters is whether there’s a healthcare professional or a healthcare organization involved in those data flows. “If, however, the personal data collected will be shared with a medical professional or other HIPAA Covered Entity (a healthcare insurance company for example), then the data is considered to be Protected Health Information and the app needs to be HIPAA compliant,” they write.
Data Presents a Serious Compliance Issue
Healthcare practitioners must consider HIPAA compliance both when building or buying a digital tool and when using one.
Patient data access should be limited to only those who really need it, says the editorial team at HealthITSecurity. HIPAA compliance means that only the minimum amount of patient information should be accessible, too.
“For example, a facility needs to determine the access control capability of all information systems with ePHI and ensure that system activity can be traced to a specific user,” the team writes. “It is also critical to create a formal policy for access control that will guide the development of procedures."
Where data is stored should also be a concern. Typically, this will be in the cloud. Therefore, healthcare providers must choose a HIPAA-compliant provider of cloud infrastructure.
Finding a provider that is HIPAA-compliant and a fit for your organization’s needs is not easy. “Even if a cloud solution enables you to use it in a compliant manner doesn’t mean it solves the compliance problem for you,” says Jeff Thomas, CTO of Forward Health Group.
Device Use Must Also Be a Consideration
The devices used to access digital tools are just as important as the digital tools themselves.
What surprises healthcare providers most about HIPAA rules is that the use of other technology, like scanners and printers, greatly increases the risk of non-compliance, says David Harlow, a former healthcare attorney and current chief compliance and privacy officer at Insulet Corporation.
“As a result, it is incumbent upon healthcare providers — in both clinical and administrative environments — to institute sound data handling practices for these devices and the documents processed by each,” Harlow writes.
Doing so is made a lot easier with user-friendly devices and software, as well as knowledgeable providers who can ensure best practices are followed.
Communication devices are a particularly thorny issue. Most common forms of communication are not HIPAA-compliant, the team at Compliance Junction writes. “Unsecure channels of communication typically include SMS, Skype and email because copies of messages remain on service providers’ servers over which a healthcare organization has no management power.”
Encrypting these messaging services is one way to make them compliant, but that requires everyone to be using the same operating system and encryption method.
What’s more, service providers like Microsoft and Google would still have access to that encrypted data. That means compliance would require these companies to sign Business Associate Agreements with healthcare providers — something most won’t willingly do, the Compliance Junction team points out.
Compliance Does Not Equal Security
Building or buying a piece of HIPAA-compliant software is not the end of the story. Providers must take steps to protect the data from cybersecurity breaches, too.
“Threats that undermine data security and jeopardize protected health information, such as human error and cybercriminal activity, exist both inside and outside the organization regardless of best efforts by providers,” says Rick Kuwahara, the COO and Chief Compliance Officer of Paubox.
As a result, healthcare providers must not only focus on working with a provider who can develop HIPAA-compliant software, but who can work with them to ensure sensitive data is protected.
Images: Cytonn Photography, Luke Chesser