What is HIPPA Privacy

The HIPAA Privacy rule (sometimes referred to as the HIPAA Security rule) requires health care providers and organizations, as well as their business associates, to develop and follow procedures ensuring the confidentiality and security of electronic protected health information (PHI).

Anything related to health, billing or treatment information that could identify a patient is PHI. This information includes:

Key points from the HIPAA Privacy rule

What’s the risk?

If you violate the HIPAA Privacy rule, fines can be substantial. Companies can face fines ranging from $100 to $50,000 per record or violation – with a maximum penalty of up to $1.5 million per year, for each violation. There can even be criminal charges and jail time.

The incident and your company could be placed on the Wall of Shame. As required by the HITECH Act, breaches of unsecured protected personal health information (PHI) affecting 500 or more individuals will be posted here.

For example on July 17, 2020, Lifespan Health System was fined over $1,040,000 for the theft of unencrypted laptops. 

This sort of event could greatly impact your business reputation and ability to continue as a business.

The good news is the risk of such events can be reduced with proper planning and by following the HIPAA Privacy rule. Let’s learn how to prevent such situations so that your business can be successful, maintain a great reputation in the market, and be trusted by end users.

How does it impact software being developed or integrated with?

Below are some of the key high-level controls that must be considered for software being developed. Within each of these categories, there is much to be considered.

When developing software, it must be implemented in a way that works with HIPAA regulations. Not considering such aspects upfront could cause much time and money to be wasted.

Does my software provider need to be compliant?

The HIPAA Privacy rule applies not only to “covered entities”, but also to “business associates” if that business associate needs to work with PHI. If you need to disclose protected information to a software vendor, then they are a business associate and are required to protect that PHI. You should implement a standard BAA (Business Associates Agreement) with that business.

Below are a few examples of why your software vendor may intentionally or unintentionally obtain access to protected health information. These will not be applicable to every situation.

key icon - HIPAA Compliance

What does the right software provider look like?

Choosing the wrong software provider could be costly. Leading to fines, reputational risk, wasted time, wasted development efforts, and in some cases, a fatal blow to your business.

If you would like a free copy of a healthcare software vendor vetting checklist, please enter your phone and email below and we will send it to you. Please note we will provide this to healthcare providers and not IT companies. In the meantime, please check out the high-level requirements below that we recommend for any vendor you consider working with.

Healthcare Industry know-how

Regulatory and compliance

Software security

Physical security

Internal controls

Workspace training