Your Software and Devices Are Not HIPAA Compliant

More Than Just a Free Newsletter

Become a Tame Your Practice member for FREE and receive our newsletter, special offers, and exclusive members-only content.

Your Software and Devices Are Not HIPAA Compliant

Do you have a documented plan for the transfer of care of your clients in case of emergency? Do you realize that such a plan is required by the code of ethics of most health care professionals?  Want to take care of your ethical obligations? We can help.

With growing frequency, vendors market their software, devices, and services as “HIPAA Compliant”.  This feeds into the mistaken belief that such beasts exist.  It’s somewhat understandable.  After all, it’s must easier to say “Our cloud-based software is HIPAA compliant” than to say “As a Business Associate, we adhere to all the rules and regulations of HIPAA and HITECH and will sign a Business Associate Agreement with you in order to help you maintain compliance as a Covered Entity.  There are, of course, multiple other things you need to do to maintain compliance that we can’t necessarily help you with.”

It’s Not That Simple

So, while you may participate in the marketing speak in the interest of easing communication, it’s important to note that there is no such thing as compliant software or a compliant device.   Put another way, you cannot maintain HIPAA compliance by simply “only purchasing HIPAA compliant stuff”.  Only Covered Entities and Business Associates can be compliant.  They do so by following all of the requirements of HIPAA and HITECH, which are extensive when it comes to technology.  With the deadline long passed for complying with the latest update to HIPAA, it’s more important than ever that Covered Entities ensure compliance.

There are multiple pieces to establishing and maintaining compliance.  Especially with technology, you must establish administrative, technical, and physical safeguards that follow HIPAA/HITECH requirements.  The short summary is that:

  • Administrative safeguards refer to doing a risk assessment/analysis and establishing policies and procedures regarding the creation, storage and transfer of PHI and ePHI (electronic PHI)  (Policies can address who has passwords/access to PHI and much more)
  • Technical safeguards mean you use technical means to secure the data  (for example, strong passwords and encryption)
  • Physical safeguards mean you use physical means to protect the data. (for example, keeping devices in a secure location when not in use and restricting who has access).

Document Your Risk Assessment

As always, where HIPAA is concerned it is important that you Document, Document, Document.  Should you ever be audited or investigated, your documentation that you’ve done due diligence will likely play an important role.  There’s a lot more to each of the three steps above.  Feel free to contact us for more information on how we can help, or schedule a consultation.

One specific case study for this challenge is when people say, “You can use GSuite!  It’s HIPAA Complaint, and they sign a BAA”, the implication being that’s all you have to do.  Click here to read why it’s not that simple.

Need help understanding how this affects you and your practice? 

Describe - Deck Two

The Most Versatile Conversation Starter gets even better!
Get 10% off with discount code: typblog

Support TYP News

 

Want to thank Rob for his hard work?

Have these resources provided valuable help?

 Related News

Similar articles you might be interested in!

About the Author

Rob has been covering technology and business news for mental health professionals since 2011. His extensive experience in IT, business, and private practice allow him to synthesize information in a friendly, digestible manner. He also enjoys time with his family, ultimate frisbee, and board gaming.

Rob Reinhardt

CEO, Tame Your Practice

More Than Just a Newsletter

Gain access to exclusive content, special offers, discounts on services, and the free Mini-Guide to Choosing an EHR. ALL FOR FREE

Share This