A Guide for Evaluating Technology for HIPAA Compliance

We've worked with healthcare professionals long enough to know that closing one's eyes, crossing one's fingers, and hoping for the best is not a viable HIPAA strategy. This is increasingly the case as the public becomes more aware of and concerned about data privacy and as regulators show less and less leniency toward small and mid-sized practices. Now, making a complaint about a potential HIPAA violation is as easy as logging onto HHS's website.

Furthermore, the fines for noncompliance can be catastrophic, ranging up to $50,000 per violation. For example, in 2010, an unencrypted laptop belonging to an employee of a neurologist practice in Massachusetts was stolen, resulting in a HIPAA investigation that led to a settlement of $1.5 million. And in 2009, a cardiac surgery group was fined $100,000 after a patient reported that they suspected the group was using a cloud-based calendar that was not HIPAA compliant.

All this to say that it's imperative that healthcare professionals think strategically about the technology they use. The following questions provide four steps toward evaluating whether a technology solution will facilitate or hinder HIPAA compliance for your practice.

1. Will the Vendor Sign a BAA?

If the vendor of the technology under consideration will create, edit, or otherwise have access to your patients' EPHI (Electronic Protected Health Information), you must have them sign a Business Associates Agreement (BAA) stating that they will adequately safeguard that EPHI. Because more and more software, from EHR/EMRs to calendars to file storage, utilizes cloud technology (i.e., stores your data in data centers owned and run by the vendor), the necessity for BAAs is on the rise.

2. How Well Does the Product Facilitate Compliance?

Even if the solution you're considering advertises itself as "HIPAA compliant," and even if the vendor signs a BAA, your compliance still comes down to how the solution handles data and how you use it.

The first thing to decide on is how secure your data will be in the solution. Will it encrypt data both at rest and in transit? Will your data be stored redundantly to protect against disaster? Does the solution facilitate the use of unique usernames and passwords for employee access? Will it easily and securely integrate with your other software solutions, such as your EHR/EMR?

Secondly, it's also important to think through what compliant use of the solution will look like. For example, using the Box Enterprise file storage/syncing solution in a HIPAA compliant manner is fairly straightforward, as administrators have the ability to assign access to folders containing EPHI to the appropriate members of their organization. By contrast, using Google Apps for Work in a HIPAA compliant manner is much more complicated, as it's difficult to lock down the flow of data between Google's different Apps (Gmail, Docs, etc.), some of which facilitate compliance and some of which don't.

3. Can You Document Compliant Policies and Procedures for Using the Product?

In our experience, a product that looks good on paper can become a HIPAA liability once you start doing the hard work of documenting policies and procedures around how it will fit in your workflow. For instance, incorporating a HIPAA-compliant cloud-based calendar solution for a client can become complicated if you want your employees to be able to download the calendar to their personal smartphones. The data may be secure in the cloud, but it may not be secure on those mobile devices.

So, we recommend taking a three-step approach to deciding whether you can integrate a new product:

  1. Look at your current HIPAA policies and procedures. Where will the new product fit in? What policies and procedures will need to be added or rewritten?
  2. Think like an auditor: will using the product increase or decrease risk to EPHI? Remember that the new product will need to be assessed for risks, and you may need to document a justification for using it.
  3. How will compliant use affect your workflow, for both business operations and patient care?

4. Will Your Staff Be Able to Carry Out Your Policies and Procedures?

No matter how strong the technology you are considering is when it comes to security and compliance, you will only be compliant if your staff members use it correctly, in accordance with your documented policies and procedures. So, the decision-making process should include the following considerations:

  1. Will compliant use make your team members' jobs easier or harder?
  2. What kind of education or training will your workforce need to use the new product in a compliant manner?
  3. What kinds of learning curves will your staff face, and how will this affect business operations and patient care?

Conclusion

These four steps will get you well on your way toward evaluating new technologies for HIPAA compliance. As you can see, the decision to adopt is a lot more complicated than simply asking whether or not the vendor advertises the product as "HIPAA Compliant." It involves a strategic evaluation that takes your organization's workflow and workforce into account. If you need help thinking through ensuring the compliance of your technology, don't hesitate to contact us


Disclaimer: We are not lawyers, so this article should not be construed as legal advice. This article is for informational purposes only.