HIPAA COMPLIANCE

HEALTHCARE IT STANDARDS GOVERNING DATA SECURITY

HIPAA compliance involves fulfilling a list of requirements, amendments, and any other related legislation such as HITECH.

We help companies in the process of defining their tech strategy toward HIPAA, and in the development of HIPAA Compliant application.

Get in touch

IS MY HEALTHCARE SOFTWARE SUBJECT TO HIPAA COMPLIANCE?

Introduction

The Health Insurance Portability and Accountability Act sets national standards for safeguarding patient health data. It's utilized to protect the privacy and security of PHI by presenting guidelines for providing individual health records in electronic formats.

The premise here is that every company that processes PHI (protected health information) must comply with HIPAA. However, there are some edge cases in which HIPAA isn't required.

Contents

HIPAA-COVERED ENTITIES

Starting with the basics, there are four different types of covered entities:

HEALTH PLANS

Such as health insurance companies, HMOs, company health plans, government programs paying for health care, and the military and veterans health care programs.

HEALTHCARE CLEARINGHOUSES

Entities that process nonstandard health information received from other entities.

BUSINESS ASSOCIATES

Any person or entity that performs functions or activities involving using or disclosing PHI on behalf of or providing services to a covered entity.

HEALTHCARE PROVIDERS

Doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies who transmit any electronic information about a transaction for which the Department of Health and Human Services HHS has adopted a standard.

OTHER HIPAA COMPLIANT SUBJECTS

You might think your healthcare app isn't within these types of companies, but here's the trick:

If your app collects, uses, or stores PHI of users and transmits this to any covered entity, your business and product must be HIPAA compliant.

NON HIPAA COMPLIANT SUBJECTS

If your medical app deals with personal health data about the person using it, but is exclusively meant for personal use, and:

  • Doesn’t involve at any point an exchange of PHI with a covered entity
  • Doesn’t involve personally identifiable user information

The app is not subject to HIPAA compliance.

To sum up, whether your company is within the covered entities or not, if it transfers or stores PHI, you must comply with HIPAA.

HIPAA COMPLIANCE REQUIREMENTS

It is very hard to define what are the exact HIPAA compliance requirements. They are intentionally vague since the aim is for them to be equally admissible for any type of Business Associate or Covered Entity that can create, access, process, or store PHI.

HIPAA SECURITY RULE

It contains the standards that must be applied in order to safeguard and protect electronically created, processed, accessed, or stored PHI when in transit and at rest. This rule extends to any person or system that has access to confidential patient data. There are three parts to the Security rule:

1. Technical safeguards

It addresses the technology that is (...)

HIPAA PRIVACY RULE

The privacy rule sets national standards to protect confidentiality, integrity, and availability of PHI. It states how ePHI can be used and disclosed. It applies to all healthcare organizations, health plan providers and their employees, healthcare clearinghouses, and Business Associates of covered entities.

The Privacy Rule guarantees that appropriate safeguards are implemented in order to protect the privacy of PHI, as (...)

HIPAA BREACH NOTIFICATION RULE

This rule requires Covered Entities to inform and notify patients in case of a breach of their PHI without unreasonable delay and in no case later than sixty days following the discovery.

It also requires entities to notify the Department of Health and Human Services of the breach by issuing a notice to the media if and when the breach affects more than five hundred patients. In case of smaller breaches, the responsible entity must report it via the OCR web portal. These notifications (...)

HIPAA OMNIBUS RULE

The Omnibus Rule was introduced to address areas that had been ignored by previous updates to HIPAA. It clarified procedures and policies, amended definitions, and expanded the compliance list so that it covers Business Associates and their subcontractors.

HIPAA ENFORCEMENT RULE

The Enforcement Rule contains provisions about the investigations that follow a breach of PHI, the penalties that could be imposed, and the procedures for hearings.

Fines are imposed depending on the violation category, the number of records exposed in the breach, the risk posed by the exposure of the data, and the level of negligence involved.

SCHEDULE A FREE 30-MIN CONSULTATION CALL

Our team of digital health experts will help you evaluate the type of service you need, and define the best fit for your project.

Get a quote

WHAT IS CONSIDERED PROTECTED HEALTH INFORMATION UNDER HIPAA RULES?

PHI is any identifiable health information (past, present, or future) of an individual that is stored, maintained, or transmitted by a HIPAA-covered entity. Information can only be considered PHI if an individual could be identified from it, meaning that if all identifiers are stripped from health data, it stops being protected, and rules no longer apply.

Essentially, any health information is PHI if it includes any of these 18 individual identifiers:

  • Names
  • Dates (except years)
  • Telephone numbers
  • Geographic data
  • FAX numbers
  • Social Security numbers
  • Email addresses
  • Medical record numbers
  • Account numbers
  • Health plan beneficiary digits
  • Certificate/license digits
  • Vehicle identifiers, serial numbers ,and license plates
  • Web URLs
  • Device identifiers and serial numbers
  • Internet protocol addresses
  • Full face photos and comparable images
  • Biometric identifiers (i.e., retinal scan, fingerprints)
  • Any unique identifying number or code

CONTACT US

Let’s talk

Whether it's a quick question or a fantastic idea, let's start with a conversation.

Schedule a call
Man cartoon