The healthcare field presents several different opportunities for software companies, including data analytics, automated patient communications, telemedicine and transportation scheduling to name a few.
However, healthcare is also one of the most heavily regulated industries as well. In 2019 alone, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) investigated 29,853 complaint cases.
In Avertium’s experience, we have found many software companies looking to develop for the healthcare market are unaware they must be HIPAA compliant.
“One area Avertium has really been able to help people with HIPAA compliance is when software companies looking to develop for the healthcare industry don’t know they have to be HIPAA compliant or what that means,” explains Avertium healthcare security consultant Andrew Ange. “These are generally smaller companies catering their services to help a healthcare entity do their job faster and easier, but what we often see with these software developers’ technical backgrounds is that they’ve never had to deal with protected health information.”
Since software companies dealing with personal healthcare data must be compliant, understanding their obligations under HIPAA is essential to winning business and avoiding fines.
Does HIPAA Apply to Me?
HIPAA defines two types of organizations that are covered by the regulation.
- Covered entities are defined as healthcare providers, health plans, and healthcare clearinghouses. These are the organizations that are likely to interact directly with patients and get data from them.
- Business associates are any partners or subcontractors of covered entities that have access to patients’ protected data. This means that, if a company is receiving any patient data from a healthcare provider – whether or not it is medical data – it is required to comply with HIPAA.
For more information about if HIPAA applies to you, read this post.
What Do I Need to Know About HIPAA Compliance?
Almost a quarter of healthcare data breaches are directly attributed to business associates, and these organizations are likely involved in a much higher percentage of breaches. Failing to understand and comply with HIPAA regulations places an organization at risk.
Full compliance with the law requires an in-depth review and audit against its specific requirements. However, putting certain high-level policies, procedures, and security controls in place can dramatically simplify the compliance process.
Business Associate Agreements and Legal Liability
Business associates must sign a Business Associate Agreement with any covered entities that they are working with. While the covered entity will likely provide the agreement, the signatory needs to understand what they are signing.
This requires access to legal counsel with an understanding of the HIPAA regulations that can explain an organization’s responsibilities under them. If a breach of patient data occurs, the OCR will perform an investigation and attempt to verify that all organizations with access to that data, including business associates, were compliant with the regulation.
The Importance of Secure Design and Development
In the healthcare space, PHI will likely be transmitted from the covered entity’s network to that of the business associate, and possibly on to the cloud from there.
All this infrastructure must be compliant with HIPAA requirements. This requires robust secure design and coding practices that ensure that software processing critical data does not contain exploitable vulnerabilities and that sensitive data is secured both at rest and in transit.
Perform Periodic Risk Assessments
While secure coding practices can help to decrease the incidence of vulnerabilities, it does not eliminate them. Oversights, configuration mistakes, and other errors can result in exploitable vulnerabilities. As a result, it is advisable to perform periodic risk assessments to determine whether the organization’s existing security controls are adequate to protect PHI and maintain HIPAA compliance.
The HIPAA regulation does not contain any explicit rules regarding the frequency of risk assessments. However, it is recommended to perform them regularly and engage in a third-party risk assessment, performed by an organization with HIPAA expertise, at least every three years.
Related Reading: First HIPAA Risk Assessment? Here’s How to Be Prepared
Compliance Documentation is Essential
Properly securing data and complying with HIPAA requirements is important. However, in addition to having the proper controls and processes in place, passing an audit also requires the ability to demonstrate that they are operational and effective.
For this reason, documentation is an essential component of HIPAA compliance. Any activities designed to protect PHI or achieve compliance should be clearly documented. Not only does this help with compliance audits, but for software companies looking to develop for the healthcare industry, it can also be a competitive advantage when demonstrating to potential partners or customers that the organization maintains HIPAA compliance and properly minimizes cybersecurity risk.
Related Reading: Complying with HIPAA Encryption Standards; What You Need to Know
Managing Third-Party Risk
Most organizations are dependent upon a number of third-parties. Common sources of third-party risk include:
- Cloud Service Providers: Most cloud services providers carry SOC2 compliance and are compliant with HIPAA requirements. However, it is essential to verify that data is being handled properly in accordance with applicable regulations.
- Third-Party Code: The average application contains 445 open-source components, and 75% of applications used at least one open-source component with a known vulnerability. Software security audits are essential to minimizing the risk of exploitation and exposure of PHI.
These are only a couple of the potential sources of external risk to an organization. Companies should regularly assess sources of potential third-party risk and take steps to ensure that these risks do not threaten their HIPAA compliance.
Reaping the Benefits of HIPAA Compliance
Achieving HIPAA compliance is essential to minimizing an organization’s risk of a data breach or audit by the OCR. Failing to properly secure PHI places the company at risk of regulatory penalties and legal proceedings.
However, HIPAA compliance can also be essential to gaining customers and maintaining a competitive advantage. Healthcare organizations are aware of their responsibilities under HIPAA and will not work with an organization that is not compliant as well. Working to understand and achieve HIPAA compliance early in the process helps to ensure that oversights do not cause missed release deadlines or other issues down the line.
Getting Expert Help
While software companies may not be aware of their HIPAA compliance obligation at the outset, the good news is Avertium has experienced enthusiasm to comply from software company customers.
“We often work with startup software companies looking to break into the healthcare space who may not even have clients yet, so the clock is ticking for them to take their solution to market,” says Ange. “They just don’t know the resources at their disposal or understand exactly what they need to do; but when we make our recommendations, they hit the ground running. They’re ready to implement as soon as possible.”
The Avertium HIPAA Certification Program (HCP) simplifies compliance and empowers companies that offer healthcare software and other applications that deal with PHI to not only secure their systems, but to also demonstrate compliance to current or perspective customers.
- Annual HIPAA Risk Assessment
- Annual HIPAA Gap Analysis
- HIPAA Roadmap to Security Compliance
- Ongoing Quarterly Touchpoints
- Proof of Certification via the Avertium HCP Seal
With Avertium, you get more rigor, more relevance, and more responsiveness. Don’t just comply, download our guide to HIPAA compliance today and show no weakness.