HIPAA IT Compliance Guide

As IT and healthcare services join forces, the chances of channel partners or managed service providers needing to consider healthcare compliance standards like HIPAA grow. 

Whereas before, MSPs could let their clients be the experts in HIPAA, the responsibilities to safeguard protected health information (PHI) now extend up and down the supply chain. According to the HIPAA Journal, over two million Business Associates and subcontractors aren’t aware of their HIPAA obligations. This gap presents an opportunity for MSPs to offer HIPAA compliance tools to an ocean of organizations that could face penalties for noncompliance.

Here we look at some products that can help with HIPAA and other compliance issues, along with a review of how HIPAA rules apply to IT organizations.

A graphic showing that the features of HIPAA compliance software are documentation, incident management, policies and procedures, remediation plans, self-audits, user permissions, and vendor management. Designed by Sam Ingalls

What is HIPAA Compliance Software?

HIPAA compliance software is a program designed to provide a framework, maintenance, and support for organizations regulated by HIPAA.

For covered entities (CE) and business associates (BA), HIPAA mandates that organizations follow all pertinent rules, and that the company acts in good faith effort by maintaining complete documentation of compliance activities. Before jumping into eight of the top tools on the market, here are some of the core features of a HIPAA compliance software:


Top HIPAA IT Compliance Tools

Here are some tools that could help MSPs work with healthcare customers, as well as any business that might come under healthcare rules and is looking for compliance help.

Accountable

Launched in 2013, Accountable is a SaaS vendor offering tools and resources for maintaining HIPAA compliance. With critical features like risk assessments, employee training, and policy and procedure frameworks, the Forth Worth, Texas-based company aims to make HIPAA compliance easy for organizations. Interested customers can start with a free trial, schedule a demo, or go premium with Accountable’s Complete plan at $399/mo, or the Enterprise plan is $1,499/mo.

Azalea Health

Out of Atlanta, Georgia, Azalea Health started in 2008 and offers cloud-based healthcare solutions and services. In all, Azalea’s solutions include electronic health records (EHR), practice management (PM), revenue cycle management (RCM), and a mobile or web-based patient health records portal. For healthcare practitioners, Azaela leans into its roots with plans aimed at ambulatory and hospital care. Azalea is a robust solution for organizations already healthcare operational.

Intraprise Health

In January 2021, healthcare insights company Intraprise Health acquired compliance and risk management-focused HIPAA One. HIPAA One developed tools based on simplicity, compliance, automation, efficiency, and resources for almost a decade. From a near-automatic Security Risk Assessment (SRA) process to 100% success in passing OCR and Figliozzi audits and BA management, Intraprise Health gained a valuable business segment. Interested customers can contact HIPAA One for a quote on premium business services.

LifeOmic

In 2016, LifeOmic was founded in Indianapolis, Indiana, and is a software vendor using the cloud, machine learning, and mobile technology in the healthcare, research, and health IT space. LifeOmic’s Precision Health Cloud (PHC), an AWS-built architecture, is the organization’s core solution for assisting healthcare organizations in optimizing operations and compliance. By integrating genomic, EHR, imaging, and more, the PHC breaks down data silos for enhanced visibility. Quotes for PHC are available upon request.

PCIHIPAA

As the name gives away, PCIHIPAA is a risk management vendor to ease the compliance progress for PCI, HIPAA, and OSHA-designated organizations. To prevent regulatory non-compliance, data breaches, and human error, PCIHIPAA offers OfficeSafe software for policy frameworks, identity restoration, and self-inspections. All plans of OfficeSafe include onboarding, administrator training, 24-7 access, and administrative tracking. Otherwise, customers can pick between an OSHA-specific plan ($129/mo) or HIPAA-specific ($329/mo). OfficeSafe 360 merges both for the price of $389/mo. 

SecPod

SecPod is the first genuine cybersecurity company to make this list, offering critical tools for managing vulnerabilities, assets, endpoints, and compliance. Started in 2008 in Bangalore, India, SecPod’s SanerWow encompasses all of these capabilities into what they dub a cyber hygiene platform. SecPod offers preloaded templates to scan for HIPAA, PCI, ISO, and NIST frameworks to apply to a network of systems, devices, and procedures. Interested customers can schedule a demo or start a free trial.

SecurityMetrics

SecurityMetrics launched in 2000 in Orem, Utah as a merchant data security and compliance vendor. With a bundle of solutions, products include data security, incident response, workforce training, e-discovery, and compliance for PCI, HIPAA, HITRUST, and GDPR. SecurityMetrics offers assessments, onsite audits, and BA compliance monitoring for organizations of varying sizes and business relationships for HIPAA specifically. Quotes are available upon request and based on organization needs.

Virtru

From the innovators that brought us the Trusted Data Format (TDF), Virtru uses trusted privacy technologies to offer their data protection platform to organizations. From governing access to the creation, transmission, and storage of data, Virtru helps organizations manage data through its lifecycle. The TDF, though an open industry standard, enables client-side encryption for emails and files. Focused on securing email and application data, Virtru’s HIPAA compliance solution is fit to provide continuous protection in communications that contain PHI. Demos are available upon request.


What is HIPAA? 

HIPAA stands for the Health Insurance Portability and Accountability Act (HIPAA), the landmark US healthcare legislation outlining standards for safeguarding sensitive patient data.

When passed in 1996, the intent of HIPAA was to modernize the American healthcare system through a range of new standards and initiatives. Through the Privacy Rule and the Security Rule established by the US Department of Health and Human Services (HHS), hospitals, healthcare providers, and insurance companies all had a mandate to protect sensitive and personally identifiable information (PII) or patient health information (PHI) in the scope of HIPAA.

Who Does HIPAA Protect?

HIPAA protects patients. Healthcare service providers of all sizes, capabilities, and complexity are responsible for safeguarding PHI. Protect information for patients includes:

  • Names, photos, and contact information
  • Social Security and medical record numbers
  • Audio, video, or biometric data
  • Birth, death, or treatment data 
  • All other unique identifiers

Who Has To Comply?

Covered Entities

Healthcare providers, health plans, and healthcare clearinghouses that regularly create, maintain, or transmit PHI are known as covered entities (CE). Hospitals typically are CE and liable for ensuring individual employees implement HIPAA compliant policies. Though general employers often maintain healthcare data about employees, the line for HIPAA breaches is less clear.

Business Associates

Any individual or organization working directly with a CE where business activity includes access to PHI data are known as business associates (BA). Compliant CE organizations ensure partners like lawyers, IT contractors, cloud service providers, and more sign a Business Associate Agreement (BAA), setting adequate procedures for HIPAA data management.

Though CE organizations are the primary PHI handlers, HIPAA’s guidelines extend to any BA possessing sensitive healthcare data. The HHS Office for Civil Rights (OCR) is currently responsible for issuing HIPAA violations, usually in the form of a fine, no matter if the breach was inadvertent or neglectful.

How Does HIPAA Affect Data & IT

The short answer – policies, procedures, and documentation. Covered entities must maintain written security policies and procedures and evidence of said actions for six years following the creation of the digital record. Healthcare providers’ adoption of digital documents or electronic PHI (e-PHI) must periodically review and update records reflecting environmental or organizational changes.

For organizations that work with healthcare service providers, creating, developing, or managing systems could involve the intentional or unintentional collection of patient data protected under HIPAA. While HIPAA covers plenty more, IT organizations are most concerned with the HIPAA Privacy and Security Rule for protecting patient health data.

The consequences of non-compliance include regulatory and legal action, reputational damage, and more.

HIPAA Security Rule

The Security Rule is the HIPAA mandate that ensures organizations interacting with PHI data take adequate measures to protect its integrity. This includes safeguarding created, accessed, processed, or stored PHI at rest and in transit.

The HIPAA Security Rule includes specific guidelines for fulfilling technical, physical, and administrative competencies broken down into three operational areas.

A graphic showing that the HIPAA Security rules includes the areas of technical, physical, and administrative safeguards organizations should take to protect PHI data. Designed by Sam Ingalls.

Crosswalk to NIST Cybersecurity Framework

Since 2014, the National Institute of Standards and Technology (NIST) has released guidance in a cybersecurity framework to assist organizations in defending their data.

The existing cybersecurity framework and the HIPAA security rule are flexible guides that can give new organizations the whole picture and HIPAA-compliant organizations insights into gaps in their defensive position.

The current NIST Cybersecurity Framework for HIPAA includes over 90 subcategories outlining objectives and relevant control mappings for reference. The five overarching operational functions are identity, protect, detect, respond, and recover.

HIPAA IT Compliance Checklist

If you’re new to HIPAA compliance, the above checklist should offer a vision of how to get compliant. Migrating to HIPAA compliance overnight isn’t possible. Becoming compliant is a project that requires research, planning, and execution of policies and procedures over time.

For Business Associates, CE organizations are required to inform, evaluate, and affirm HIPAA standards, thus ensuring an informed stakeholder ecosystem. For organizations knee-deep in healthcare data, hiring a HIPAA Compliance Officer and training personnel should be priorities. With clear guidelines and consistent accountability, organizations can feel confident in their protocols.

A graphic showing eight steps to use for a HIPAA compliance checklist. Designed by Sam Ingalls.

HIPAA Risk Assessment

Though HIPAA requires designated organizations to complete risk assessments, there is no one risk analysis methodology offered. Instead, HHS provides the following objectives for conducting risk audits and assessments:

A graphic showing the objectives any HIPAA risk assessment should have to maintain compliance ensure systems are prepared for the future. Designed by Sam Ingalls.

Enforcing HIPAA and Penalties for Noncompliance

The HIPAA Enforcement Rule elaborates on the process for investigating and penalizing organizations violating HIPAA regulations, usually in the form of a PHI breach. While notable instances of willful neglect can result in criminal charges, most penalties issued by the HHS OCR are civil lawsuits or financial penalties.

Organizations can be fined anywhere better than $100 to $1.5 million per year per violation, depending on the number of records exposed, the risk posed by the breach, and the level of negligence.

Common Violations and Disclosures

  • No administrative, physical, or technical safeguards are in place for patient records
  • Misuse of PHI on social media, messaging, or public conversation
  • Cyberattacks, breaches, and theft of equipment storing PHI
  • Overdisclosing PHI to third parties beyond intent or need of the patient

Reassessing HIPAA IT Compliance

Being HIPAA compliant is a constant battle to safeguard data, maintain accountability systems, and boost security defenses. On an annual basis, organizations must review the included checklist, complete a risk assessment, and document findings. Security officers should be on alert to ensure HIPAA compliance remains intact through change, especially with organizational changes – be it a merger, new partner, or contractor.

Because the range of organizations varies widely, the complexity of investment needed to fulfill HIPAA compliance can be considerable. Luckily, a market of HIPAA compliance software providers is available to help organizations take on the task of protecting PHI data.

Sam Ingalls
Sam Ingalls is a content writer and researcher covering enterprise technology, IT trends, and network security for eSecurityPlanet.com, Webopedia.com, ChannelInsider.com, and ServerWatch.com.

RELATED ARTICLES

Must Read