Having a website is highly crucial for every business counting healthcare providers. In fact, almost 93% of business decisions initiate with an online search. However, some websites need to be more precautious and must be HIPAA compliant website such as healthcare providers!
Any medical eCommerce company or practice that sells medical equipment may face HIPAA compliance issues. Any business that handles the protected or confidential health information or PHI must bear additional care.
Such practices or companies must comply with HIPAA checklist, especially eCommerce companies. If these companies fail to select the right eCommerce partner, it becomes critical for companies as they risk non-compliance fines, security breaches, situations, and penalties. They also end up losing credibility with their customer as clients’ personal medical information gets exposed or clients can’t receive advanced functionality on the basis of electronic health and medical records.
The point is simple here: if you are integrating a new and better healthcare software, you must make it secure as well as compliant with all the HIPAA rules.
First, you must understand that being HIPAA compliant for any covered entity involves taking reasonable steps to ensure that the physical, administrative and technical safeguards in place in order to keep PHI safe.
For instance, if you hold PHI in cloud storage, but do not have proper policies in place in terms of sharing this information with others. Anyone can deliberately or accidentally leak or share that information although they have no right to do so. As a result, your website gets caught for HIPAA violation.
Imagine the number of violations that may occur due to a stolen Smartphone or laptop. If there are no procedures or policies in place to secure and encrypt the device, no technology can help save the data.
So if the answer is yes and you are handling PHI through the website, you must make sure its HIPAA compliant, regardless if it is as simple transaction as setting an appointment. Even the appointment setting is identifiable information that sets an example of transmitting PHI, used in relation to patient care.
HIPAA actually stands for Health Insurance Portability and Accessibility Act. In general, it asks for four fundamental things of an organization, handling medical records of patients in any way.
So if you are associated with health tech development, make sure that there is proper technology to meet HIPAA standards. One of the best ways to ensure or accomplish this is by having a HIPAA compliance checklist. This checklist can also be used by the development team to build app/software accordingly.
Once you have identified handling PHI – Protected Health Information that you must be HIPAA compliant, now it’s time to go through the HIPAA compliance checklist to ensure the privacy and security of PHI.
In terms of action items, you must follow the HIPAA Privacy and Security Rule. Now let’s discuss each one of these rules in detail.
The HIPAA Security Rule is about appropriate Physical, Administrative and Technical Safeguards to make sure the integrity, confidentiality and security of PHI.
We can divide the security rule in three fundamental aspects:
These parts incorporate implementation specifications. Some of them are addressable and some are required. When we say addressable implementation they can be implemented if there is an appropriate and reasonable need to do so. Similarly, the required implementations are the ones that must be implemented.
This set of guidelines focus on the physical PHI access and contain four standards.
And as we further break down these 4 major standards of physical safeguards, there are ten essentials we need to implement:
Contingency Operations: Establish procedures that enable facility access to support lost data restoration under the emergency mode operation plan and disaster recovery plan in an emergent event.
Validation and Access Control Procedures: Implement policies to validate and control the access of a person to facilities based on their function and role. This may also include visitor control and access control to various software programs in terms of revision and testing.
Maintenance Records: Implement procedures and policies to document modifications and repairs to the facility’s physical component, related to security like doors, walls, hardware, and locks
Workstation Security: Implement physical safeguards in terms of all workstations that restrict authorized users access by accessing ePHI.
Workstation Use: Implement procedures and policies that state the functions that need to be performed and the manner in which they must be performed including the physical attributes of the specific workstation surrounding or class of workstation that must access ePHI.
Disposal: Implement policies to address the ePHI final disposition and the electronic and hardware media on which it is actually stored.
Accountability: Maintain the electronic media and hardware movement records including any person responsible thereof.
Media Re-Use: Implement policies for ePHI removal from electronic media and before the media are available for re-use.
Data Backup and Storage: Create an exact retrievable copy of ePHI, before equipment movement and when needed.
These are the set of policies that govern the workforce code of conduct along with security measures implemented to protect ePHI. This is the most important component when implementing HIPAA compliance program.
We have nine standards under this section:
Compliance with this section of safeguards requires the complete evaluation of the implemented security controls, a thorough and accurate risk analysis along with a series of documented solutions.
These nine standards are further broken down into 18 areas that must be ensured:
Risk Analysis: Document the performed risk analysis to ascertain where PHI is being stored and used to figure out the ways in which HIPAA can be violated.
Sanction Policy: Apply sanction policies for individuals failing to comply
Risk Management: Implement adequate measure to cut down these risks up to an acceptable level
Information Systems Activity Reviews: Frequently review logs, system activity, audit trails etc.
Officers: Designate Officers for HIPAA Security and Privacy
Employee Oversight: Implement policies to supervise and authorize employees working with PHI and for removing and granting PHI access to employees.
ePHI Access: Implement policies for granting ePHI access that document ePHI access, or to systems and services that grant ePHI access
Multiple Organizations: Make sure PHI is inaccessible by parent organizations or parent or subcontractors which are unauthorized for access.
Protection against Malware: Implement procedures to guard detecting, against and reporting malevolent software.
Login Monitoring: Establish discrepancies reporting and monitoring of systems logins
Security Reminders: Periodically send reminders and updates about privacy and security policies to employees
Response and Reporting: Document, identify, and respond to security incidents.
Password Management: Make sure there are procedures for changing, creating and protecting passwords
Contingency Plans: Make sure there are proper accessible ePHI backups as well as procedures to restore the lost data.
Emergency Mode: Establish procedures and enable critical business processes continuation for the protection of ePHI security when operating in an emergency mode
Contingency Plans Updates and Analysis: Have policies for frequent testing and contingency plans revision. Assess the criticality of particular data and applications in support of some other contingency plan components
Business Associate Agreements: if any business partner access the ePHI, have specific contracts to make sure they are compliant. Select partners that also have similar agreements with their partners to which they are extending access.
Evaluations: Conduct periodic evaluations to observe if any changes in the law or business need changes in the HIPAA compliance procedures.
This section relates to the disclosure and use of electronic patient health information and is applicable to the different healthcare organization. It is also applicable to those who offer health insurance plans along with eh enterprises’ business associates.
In this section, patients get the right to get copies of their relevant health records. Also, the EMR and EHR implications are obvious, especially to ensure that every patient identifiers are also secure.
Business associates are liable for the disclosure and use of PHI which is not covered under their HIPAA Privacy Rule or the BAA. This rule asks the business associated with the following actions:
Rules under this section govern the policies and procedures for the assignment and investigation of penalties when there is a breach of electronic patient health information. Here the biggest issue is to avoid the breach and this has implications for EMR/EHR software development. Remember the ignorance of these requirements may carry greater fines and penalties.
In this HIPAA Rule, it is necessary for healthcare providers to inform patients in case of an unsecured PHI breach. The Breach Notification Rule also necessitates entities to instantly notify HHS in case of any unsecured PHI breach. Also, the healthcare provider must notify the public and media if the breach directly affects 500 or more patients.
Small security breaches can be reported to the Health and Human Services Office of civil rights. But larger breaches should be reported to media. In both of the scenarios, the patients need to be informed and notified of steps that they must take to reduce the potential damage.
The reporting should be complete and must mention all the relevant details of the breach including the current level of loss or damage. This must also mention the measures taken to mitigate any further damage.
The above-discussed checklist is not all. In fact, you can call it a brief summary of the most fundamental and major points. If you need a more comprehensive understanding about HIPAA then you must get the legal documents.
However, you need to interpret these rules and requirements as they apply to your particular organization. Since prevention is inevitable in any EMR/EHR system, prevention starts from the basic development phase. It continues through implementation and testing and ends with regular and consistent monitoring. Thus, the checklist starts right from the development phase.
So if you want to be HIPAA compliant and avoid any legal penalties, you need to work with professional and well-versed developers who understand the requirements and have the expertise to implement them.
I have worked with CodeIT for over a year now on a complex application development project and they have been excellent. They have been flexible with scaling resources up and down as I’ve needed it, their project managers have been extremely responsive and I hear from them every day and never have to wonder where they are as I have with past outsourcing projects. Highly recommended if you’re considering outsourcing software development.
This was our first project, and I am so happy that it had a smooth run and a successful resolution.
I sincerely hope that this is just the first step in our long and mutually amiable partnership.
Thank you CodeIT team for being so thorough and professional.
Collaboration with CodeIT gave my business great prospects for its expansion and scaling. Together with CodeIT professionals, we grew our product line from three to fourteen products within only one year. I can rely on these guys to get a high-quality product on time.
CodeIT has been working for us for one and a half years. We are ending the project now because it is complete. CodeIT built our platform from scratch and also provided further development and support for the rest of the contract. They are very strong in several areas: back-end development (specialising in Zend Framework); front-end development; server administration; project management. Their project managers speak excellent English and are courteous and professional. Their developers are fast and skilled, and up to date with the latest technologies. Their expertise helped us to build a highly reliable website which can serve a heavy load of traffic. Finally, they are all very nice people, and I cannot recommend them highly enough.
I posted this project and within minutes guys from CodeIT bid on the project. I asked a few questions through Skype to feel confident that they could do the job. I felt comfortable with the knowledge and skills and accepted their offer. I am usually hesitant to hire from offshore. Not because of the work quality but, usually the language barrier and working hours. Guys from CodeIT was available during NY working hours and after pre-screening on Skype, I could tell they know English well.
This was the biggest project I’ve made so far and CodeIT helped me and our company through it in a perfect way.
Working with one very skilled project manager and multiple developers and testers with him made our project fly in a very short period of time, and with a super high quality!
I wanted to personally thank you for your hard work on this. Working with CodeIT turned out to be a really pleasant experience for us.
Since the beginning, your team seemed to be really well structured and everyone understood its role and responsibilities.
Also, the quality of the work CodeIt delivered was exactly what we expected it to be.
This really facilitated our daily work and help us to keep the client happy.
I hope this first experience working together help us to build a long-term partnership.
Feel free to contact us. We will answer all your questions and provide you with fast and thorough feedback.