HIPAA Compliance - Common Questions
HIPAA compliance (the acronym for the Health Insurance Portability and Accountability Act) that we receive from organizations looking to host or build ehealth and mhealth applications that use, transmit or store personal health information of their users.
Do I Need to Be HIPAA Compliant?
The short answer is: if your application handles protected health information (PHI) then you need to be HIPAA compliant. If you do not, then you are subject to potential civil and criminal penalties as a result of HIPAA violations. The HIPAA rules apply to both Covered Entities and their Business Associates.
Covered entities are anyone who provides treatment, payment and operations in healthcare. Covered entities include companies and organizations such as: doctor's offices, dental offices, clinics, psychologists, health plans, insurance companies, HMOs and more.
Business associates are companies like you—if you're making an mHealth, eHealth or wearable applications that manages PHI, then you are a Business Associate under the HIPAA guidelines and you must be HIPAA compliant. SEN stores information in our cloud in a manner that exceeds HIPAA compliance standards.
The Difference Between Protected Health Information and Consumer Health Information
protected health information
So how do you know if you're dealing with protected health information (PHI) or consumer health information? The test is pretty simple: if your device or application currently shares or will share the user's personal health data held in the app or device with a covered entity such as a doctor then you are dealing with protected health information and need HIPAA compliance software.
If you are building a wearable device or application that collects the user's personal health information, but do not plan on sharing it with a covered entity such as a doctor at any point in time, then you do not need to be HIPAA compliant and do not violate the HIPAA Privacy Rule.
For example, the Nike Fuelband is not HIPAA compliant because it does not track data considered to be protected health information nor allow data transmission from the device to a covered entity.
What Is The HIPAA Privacy Rule?
hipaa privacy rule
The U.S. Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to enforce HIPAA requirement. The Privacy Rule addresses the use and disclosure of the health information for individuals by covered entities subject to the Rule. It also creates a standard for individual privacy rights to control and understand how their health information is used.
Within HHS, the Office for Civil Rights (OCR) has a responsibility to implement and impose the HIPAA Privacy Rule with respect to voluntary compliance activities and civil money penalties. Anyone can file a complaint to the OCR if they believe a HIPAA violation has occurred.
SEN Technologies is HIPAA Compliant
becoming hipaa compliant
The HIPAA Security Rule requires appropriate Administrative, Physical, and Technical Safeguards to ensure the confidentiality, integrity, and security of protected health information (PHI).
In order to meet HIPAA compliance requirements we ensure that we are meeting or exceeding in four main requirements of the HIPAA law. The four main requirements of the HIPAA Compliance Checklist are:
- Put safeguards in place to protect patient health information.
- Reasonably limit use and sharing of protected health information to the minimum necessary to accomplish the intended purpose.
- Have agreements in place with our customers and suppliers that perform covered functions. These agreements, called Business Associate Agreements (BAAs) ensure that service providers (Business Associates) use, safeguard and disclose patient information properly.
- Procedures to limit who can access patient health information, and training programs about how to protect patient health information.
Can I Get Certified as HIPAA Compliant?
The short answer is no.
Unlike PCI compliance for financial information, there is no one that can "certify" that an organization with a HIPAA Compliance Certification. The OCR from the Department of Health and Human Services (HHS) is the federal governing body that oversees HIPAA compliance. HHS does not endorse or recognize the "HIPAA Compliance Certifications" made by private organizations.
It's up to both you and us to determine if your administrative, technical, and physical safeguards meet HIPAA compliance requirements.
What Are The HIPAA Compliance Requirements?
In order to meet HIPAA compliance software requirements we need to ensure our infrastructure is meeting the four main requirements of the HIPAA law. The four main requirements of the HIPAA Compliance Checklist are:
- Administrative Safeguards
These have to do with the policies and procedures you have in place to ensure the proper employee management, training and oversight for staff that come into contact or manage protected health information.
- Technical Safeguards
These are details that HIPAA compliance platforms like SEN manages that providers of HIPAA hosting don't touch. They include things like encryption and decryption, audit controls, emergency access procedures, HIPAA file storage and more.
- Physical Safeguards
These are the safeguards around the security of the data. SEN and other HIPAA compliant hosting companies cover this portion of the safeguards and includes data redundancy and failure requirements, access to servers and more.
SEN fulfills both the Technical and Physical safeguard requirements for HIPAA compliance. HIPAA compliant hosting providers do not. Hosting your app or service in a HIPAA compliant environment is not the same as being HIPAA compliant.
HIPAA violations can reach a maximum penalty of $50,000 per violation, with an annual maximum of $1.5 million, which underlies the importance of building and hosting HIPAA compliant software properly.