What is HIPAA and HIPAA Compliance?

Learn more about HIPAA and HIPAA compliance (HHS.gov)

Do I Need to be HIPAA Compliant?

NOTE: If you have a project or data storage / transfer need that involves protected data, or if you are not sure if you do, Start a Conversation with us so we can ensure you have the best resources and environment possible for your work.

--

The short answer is: if your application handles protected health information (PHI) then you need to be HIPAA compliant. If you do not, then you are subject to potential civil and criminal penalties as a result of HIPAA violations. The HIPAA rules apply to both Covered Entities and their Business Associates.

Covered entities are anyone who provides treatment, payment and operations in healthcare. Covered entities include companies and organizations such as: doctor's offices, dental offices, clinics, psychologists, health plans, insurance companies, HMOs and more.

Business associates are companies like you—if you're making an mHealth, eHealth or wearable applications that manages PHI, then you are a Business Associate under the HIPAA guidelines and you must be HIPAA compliant.

The Difference Between Protected Health Information and Consumer Health Information

So how do you know if you're dealing with protected health information (PHI) or consumer health information? The test is pretty simple: if your device or application currently shares or will share the user's personal health data held in the app or device with a covered entity such as a doctor then you are dealing with protected health information and need HIPAA compliance software.

If you are building a wearable device or application that collects the user's personal health information, but do not plan on sharing it with a covered entity such as a doctor at any point in time, then you do not need to be HIPAA compliant and do not violate the HIPAA Privacy Rule.

For example, the Nike Fuelband is not HIPAA compliant because it does not track data considered to be protected health information nor allow data transmission from the device to a covered entity.

What Is The HIPAA Privacy Rule?

The U.S. Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to enforce HIPAA requirement. The Privacy Rule addresses the use and disclosure of the health information for individuals by covered entities subject to the Rule. It also creates a standard for individual privacy rights to control and understand how their health information is used.

Within HHS, the Office for Civil Rights (OCR) has a responsibility to implement and impose the HIPAA Privacy Rule with respect to voluntary compliance activities and civil money penalties. Anyone can file a complaint to the OCR if they believe a HIPAA violation has occurred.

How Do You Become HIPAA Compliant?

The HIPAA Security Rule requires appropriate Administrative, Physical, and Technical Safeguards to ensure the confidentiality, integrity, and security of protected health information (PHI).

In order to meet HIPAA compliance software requirements you need to ensure you're meeting the four main requirements of the HIPAA law. The four main requirements of the HIPAA Compliance Checklist are:

1. You must put safeguards in place to protect patient health information.
2. Reasonably limit use and sharing of protected health information to the minimum necessary to accomplish your intended purpose.
3. Have agreements in place with service providers that perform covered functions. These agreements, called Business Associate Agreements (BAAs) ensure that service providers (Business Associates) use, safeguard and disclose patient information properly.
4. Procedures to limit who can access patient health information, and training programs about how to protect patient health information.money penalties.

Can I Get Certified as HIPAA Compliant?

The short answer is no.

Unlike PCI compliance for financial information, there is no one that can "certify" that an organization with a HIPAA Compliance Certification. The OCR from the Department of Health and Human Services (HHS) is the federal governing body that oversees HIPAA compliance. HHS does not endorse or recognize the "HIPAA Compliance Certifications" made by private organizations.

It's up to you to determine if your administrative, technical, and physical safeguards meet HIPAA compliance requirements.

What Are The HIPAA Compliance Requirements?

In order to meet HIPAA compliance software requirements you need to ensure you're meeting the four main requirements of the HIPAA law. The four main requirements of the HIPAA Compliance Checklist are:

1. Administrative Safeguards
   These have to do with the policies and procedures you have in place to ensure the proper employee management, training and oversight for staff that come into contact or manage protected health information.
2. Technical Safeguards
   These include things like encryption and decryption, audit controls, emergency access procedures, HIPAA file storage and more. Learn more about the technical safeguard requirements of the HIPAA security rule.
3. Physical Safeguards
   These are the safeguards around the security of the data. TrueVault and other HIPAA compliant hosting companies cover this portion of the safeguards and includes data redundancy and failure requirements, access to servers and more. Learn more about the physical safeguard requirements of the HIPAA security rule.

HIPAA violations can reach a maximum penalty of $50,000 per violation, with an annual maximum of $1.5 million, which underlies the importance of building HIPAA compliant software properly.