More Than Just a Free Newsletter
Become a Tame Your Practice member for FREE and receive our newsletter, special offers, and exclusive members-only content.
Your Software and Devices Are Not HIPAA Compliant
Do you have a documented plan for the transfer of care of your clients in case of emergency? Do you realize that such a plan is required by the code of ethics of most health care professionals? Want to take care of your ethical obligations? We can help.
With growing frequency, vendors market their software, devices, and services as “HIPAA Compliant”. This feeds into the mistaken belief that such beasts exist. It’s somewhat understandable. After all, it’s must easier to say “Our cloud-based software is HIPAA compliant” than to say “As a Business Associate, we adhere to all the rules and regulations of HIPAA and HITECH and will sign a Business Associate Agreement with you in order to help you maintain compliance as a Covered Entity. There are, of course, multiple other things you need to do to maintain compliance that we can’t necessarily help you with.”
It’s Not That Simple
So, while you may participate in the marketing speak in the interest of easing communication, it’s important to note that there is no such thing as compliant software or a compliant device. Put another way, you cannot maintain HIPAA compliance by simply “only purchasing HIPAA compliant stuff”. Only Covered Entities and Business Associates can be compliant. They do so by following all of the requirements of HIPAA and HITECH, which are extensive when it comes to technology. With the deadline long passed for complying with the latest update to HIPAA, it’s more important than ever that Covered Entities ensure compliance.
There are multiple pieces to establishing and maintaining compliance. Especially with technology, you must establish administrative, technical, and physical safeguards that follow HIPAA/HITECH requirements. The short summary is that:
- Administrative safeguards refer to doing a risk assessment/analysis and establishing policies and procedures regarding the creation, storage and transfer of PHI and ePHI (electronic PHI) (Policies can address who has passwords/access to PHI and much more)
- Technical safeguards mean you use technical means to secure the data (for example, strong passwords and encryption)
- Physical safeguards mean you use physical means to protect the data. (for example, keeping devices in a secure location when not in use and restricting who has access).
Document Your Risk Assessment
As always, where HIPAA is concerned it is important that you Document, Document, Document. Should you ever be audited or investigated, your documentation that you’ve done due diligence will likely play an important role. There’s a lot more to each of the three steps above. Feel free to contact us for more information on how we can help, or schedule a consultation.
One specific case study for this challenge is when people say, “You can use GSuite! It’s HIPAA Complaint, and they sign a BAA”, the implication being that’s all you have to do. Click here to read why it’s not that simple.
Similar articles you might be interested in!
Tame Your Practice membership is free and provides therapists access to exclusive content, discounts, and deals from partners!
Recommendations for technology, web sites, secure email, phone, credit card processing, therapy tools/interventions, podcasts, and much more!
In addition to using strong-passwords, and a password manager (I use LastPass), I strongly encourage everyone to use Multi-Factor Authentication (now, more commonly referred to as Two-Factor Authentication or 2FA) whenever possible.
About the Author
Rob has been covering technology and business news for mental health professionals since 2011. His extensive experience in IT, business, and private practice allow him to synthesize information in a friendly, digestible manner. He also enjoys time with his family, ultimate frisbee, and board gaming.