Having a website is highly crucial for every business counting healthcare providers. In fact, almost 93% of business decisions initiate with an online search. However, some websites need to be more precautious and must be HIPAA compliant website such as healthcare providers!
Any medical eCommerce company or practice that sells medical equipment may face HIPAA compliance issues. Any business that handles the protected or confidential health information or PHI must bear additional care.
Such practices or companies must comply with HIPAA checklist, especially eCommerce companies. If these companies fail to select the right eCommerce partner, it becomes critical for companies as they risk non-compliance fines, security breaches, situations, and penalties. They also end up losing credibility with their customer as clients’ personal medical information gets exposed or clients can’t receive advanced functionality on the basis of electronic health and medical records.
The point is simple here: if you are integrating a new and better healthcare software, you must make it secure as well as compliant with all the HIPAA rules.
When Does Your Website need To Be HIPAA Compliant And How Do You Make It?
First, you must understand that being HIPAA compliant for any covered entity involves taking reasonable steps to ensure that the physical, administrative and technical safeguards in place in order to keep PHI safe.
For instance, if you hold PHI in cloud storage, but do not have proper policies in place in terms of sharing this information with others. Anyone can deliberately or accidentally leak or share that information although they have no right to do so. As a result, your website gets caught for HIPAA violation.
Imagine the number of violations that may occur due to a stolen Smartphone or laptop. If there are no procedures or policies in place to secure and encrypt the device, no technology can help save the data.
If you are thinking when your website has to be HIPAA compliant, you must identify the ways in which your visitor is likely to interact with the website. Once identified, you need to work on ensuring that these interactions end up in a user-friendly, yet secure experience. This can be done by considering:
- Do you store PHI on the server, you host?
- Do you transmit any PHI online?
So if the answer is yes and you are handling PHI through the website, you must make sure its HIPAA compliant, regardless if it is as simple transaction as setting an appointment. Even the appointment setting is identifiable information that sets an example of transmitting PHI, used in relation to patient care.
The Requirement of HIPAA Compliance
HIPAA actually stands for Health Insurance Portability and Accessibility Act. In general, it asks for four fundamental things of an organization, handling medical records of patients in any way.
- You should have proper safeguards in place to fully protect the health information of the patient
- You must restrict the sharing or use of health information up to the extent needed for the purpose.
- If your medical records are being handled by any contracted service, you must have agreements to ensure they are also compliant with HIPAA regulations
- You must have procedures and policies to ensure limited access while training staff related to the protection of hard copy as well as ePHI – electronic Protected Health information.
So if you are associated with health tech development, make sure that there is proper technology to meet HIPAA standards. One of the best ways to ensure or accomplish this is by having a HIPAA compliance checklist. This checklist can also be used by the development team to build app/software accordingly.
Checklist for HIPAA Compliance
Once you have identified handling PHI – Protected Health Information that you must be HIPAA compliant, now it’s time to go through the HIPAA compliance checklist to ensure the privacy and security of PHI.
In terms of a checklist, there are four rules that must be dissected:
- HIPAA Privacy Rule
- HIPAA Enforcement Rule
- HIPAA Security Rule
- HIPAA Breach Notification Rule
In terms of action items, you must follow the HIPAA Privacy and Security Rule. Now let’s discuss each one of these rules in detail.
HIPAA Security Rule
The HIPAA Security Rule is about appropriate Physical, Administrative and Technical Safeguards to make sure the integrity, confidentiality and security of PHI. We can divide the security rule in three fundamental aspects:
- Physical Safeguards
- Technical Safeguards
- Administrative Safeguards
These parts incorporate implementation specifications. Some of them are addressable and some are required. When we say addressable implementation they can be implemented if there is an appropriate and reasonable need to do so. Similarly, the required implementations are the ones that must be implemented.
This set of guidelines focuses on the physical PHI access and contains four standards.
- Workstation use
- Facility access control
- Device and media controls
- Workstation security
And as we further break down these 4 major standards of physical safeguards, there are ten essentials we need to implement:
Facility Access Control
✔Contingency Operations: Establish procedures that enable facility access to support lost data restoration under the emergency mode operation plan and disaster recovery plan in an emergent event.
✔Facility Security Plan: Implement procedures and policies to safeguard the equipment and facility therein from theft, tampering or unauthorized physical access.
✔Validation and Access Control Procedures: Implement policies to validate and control the access of a person to facilities based on their function and role. This may also include visitor control and access control to various software programs in terms of revision and testing.
✔Maintenance Records: Implement procedures and policies to document modifications and repairs to the facility’s physical component, related to security like doors, walls, hardware, and locks.
✔Workstation Security: Implement physical safeguards in terms of all workstations that restrict authorized users' access by accessing ePHI.
✔Workstation Use: Implement procedures and policies that state the functions that need to be performed and the manner in which they must be performed including the physical attributes of the specific workstation surrounding or class of workstation that must access ePHI.
Device and Media Controls
✔Disposal: Implement policies to address the ePHI final disposition and the electronic and hardware media on which it is actually stored.
✔Accountability: Maintain the electronic media and hardware movement records including any person responsible thereof.
✔Media Re-Use: Implement policies for ePHI removal from electronic media and before the media are available for re-use.Data Backup and Storage: Create an exact retrievable copy of ePHI, before equipment movement and when needed.
These are the set of policies that govern the workforce code of conduct along with security measures implemented to protect ePHI. This is the most important component when implementing HIPAA compliance program.
We have nine standards under this section:
- Assigned Security Responsibility
- Security Management Process
- Training and Security Awareness
- Information Access Management
- Workforce Security
- Business Associate Contracts and Other Arrangements
- Contingency Plan
- Security Incident Procedures
Compliance with this section of safeguards requires the complete evaluation of the implemented security controls, a thorough and accurate risk analysis along with a series of documented solutions.
These nine standards are further broken down into 18 areas that must be ensured:
Security Management Process
✔Risk Analysis: Document the performed risk analysis to ascertain where PHI is being stored and used to figure out the ways in which HIPAA can be violated.
✔Sanction Policy: Apply sanction policies for individuals failing to comply.
✔Risk Management: Implement adequate measures to cut down these risks up to an acceptable level.
✔Information Systems Activity Reviews: Frequently review logs, system activity, audit trails, etc.
✔Officers: Designate Officers for HIPAA Security and Privacy
✔Employee Oversight: Implement policies to supervise and authorize employees working with PHI and for removing and granting PHI access to employees.
Information Access Management
✔ePHI Access: Implement policies for granting ePHI access that document ePHI access, or to systems and services that grant ePHI access.
✔Multiple Organizations: Make sure PHI is inaccessible by parent organizations or parent or subcontractors which are unauthorized for access.
Security Awareness and Training
✔Protection against Malware: Implement procedures to guard detecting, against and reporting malevolent software.
✔Login Monitoring: Establish discrepancies reporting and monitoring of systems logins.
✔Security Reminders: Periodically send reminders and updates about privacy and security policies to employees.
✔Response and Reporting: Document, identify, and respond to security incidents.
✔Password Management: Make sure there are procedures for changing, creating and protecting passwords
✔Contingency Plans: Make sure there are proper accessible ePHI backups as well as procedures to restore the lost data.
✔Emergency Mode: Establish procedures and enable critical business processes continuation for the protection of ePHI security when operating in an emergency mode.
✔Contingency Plans Updates and Analysis: Have policies for frequent testing and contingency plans revision. Assess the criticality of particular data and applications in support of some other contingency plan components.
✔Business Associate Agreements: if any business partner access the ePHI, have specific contracts to make sure they are compliant. Select partners that also have similar agreements with their partners to which they are extending access.
✔Evaluations: Conduct periodic evaluations to observe if any changes in the law or business need changes in the HIPAA compliance procedures.
HIPAA Privacy Rule
This section relates to the disclosure and use of electronic patient health information and is applicable to the different healthcare organizations. It is also applicable to those who offer health insurance plans along with eh enterprises’ business associates.
In this section, patients get the right to get copies of their relevant health records. Also, the EMR and EHR implications are obvious, especially to ensure that every patient identifiers are also secure.
Business associates are liable for the disclosure and use of PHI which is not covered under their HIPAA Privacy Rule or the BAA. This rule asks the business associated with the following actions:
- Provide adequate breach notification to the Covered Entity
- Don’t allow any impermissible disclosure or use of PHI
- Offer an accounting of disclosures
- Be compliant with the HIPAA Security Rule requirements
- If needed, the disclosure of PHI to the HHS Secretary
- Provide either the Covered Entity or individual access to PHI.
HIPAA Enforcement Rules
Rules under this section govern the policies and procedures for the assignment and investigation of penalties when there is a breach of electronic patient health information. Here the biggest issue is to avoid the breach and this has implications for EMR/EHR software development. Remember the ignorance of these requirements may carry greater fines and penalties.
HIPAA Breach Notification Rules
In this HIPAA Rule, it is necessary for healthcare providers to inform patients in case of an unsecured PHI breach. The Breach Notification Rule also necessitates entities to instantly notify HHS in case of any unsecured PHI breach. Also, the healthcare provider must notify the public and media if the breach directly affects 500 or more patients.
Small security breaches can be reported to the Health and Human Services Office of civil rights. But larger breaches should be reported to media. In both of the scenarios, the patients need to be informed and notified of steps that they must take to reduce the potential damage.
The reporting should be complete and must mention all the relevant details of the breach including the current level of loss or damage. This must also mention the measures taken to mitigate any further damage.
In the bottom line
The above-discussed checklist is not all. In fact, you can call it a brief summary of the most fundamental and major points. If you need a more comprehensive understanding of HIPAA then you must get the legal documents.
However, you need to interpret these rules and requirements as they apply to your particular organization. Since prevention is inevitable in any EMR/EHR system, prevention starts from the basic development phase. It continues through implementation and testing and ends with regular and consistent monitoring. Thus, the checklist starts right from the development phase.
So if you want to be HIPAA compliant and avoid any legal penalties, you need to work with professional and well-versed developers who understand the requirements and have the expertise to implement them.