Do you need to be HIPAA compliant?
If your application handles protected health information (PHI) then you need to be HIPAA compliant. As we wrote in last week’s post, violating HIPAA can be costly and can result in civil and criminal penalties.
The HIPAA rules apply to both Covered Entities and Business Associates.Covered entities are anyone who provides treatment, payment and operations in healthcare, including companies and organizations such as: doctor’s offices, dental offices, clinics, psychologists, health plans, insurance companies, HMOs and more.Business associates is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
How do you become HIPAA compliant?
The HIPAA Security Rule requires appropriate Administrative, Physical, and Technical Safeguards to ensure the confidentiality, integrity, and security of protected health information (PHI).
In order to meet HIPAA compliance software requirements you need to ensure you’re meeting the four main requirements of the HIPAA law:
- You must put safeguards in place to protect patient health information.
- Reasonably limit use and sharing of protected health information to the minimum necessary to accomplish your intended purpose.
- Have agreements in place with service providers that perform covered functions. These agreements, called Business Associate Agreements (BAAs) ensure that service providers (Business Associates) use, safeguard and disclose patient information properly.
- Procedures to limit who can access patient health information, and training programs about how to protect patient health information.
Can I get a HIPAA compliance certificate?
There is no official body that offers HIPAA Compliance Certification; in fact, the Department of Health and Human Services (HHS) is the federal governing body that oversees HIPAA compliance. does not endorse or recognize the “HIPAA Compliance Certifications” made by private organizations.
However, the evaluation standard in the Security Rule § 164.308(a)(8) requires you to perform a periodic technical and non-technical evaluation to make sure your security policies and procedures meet security requirements. But, HHS doesn’t care if the evaluation is performed internally or by an external organization.
In short, it’s up to you to determine if your administrative, technical, and physical safeguards meet HIPAA compliance requirements.