When searching for a new healthcare solution to meet your organization’s needs, it’s easy to see the labels “HIPAA Certified” or “HIPAA Compliant” and believe your bases are covered. After all, “HIPAA Certified” means the product or application follows HIPAA’s privacy rules and has everything in place to protect your health and patient information, right?
Unfortunately, no. While such a certification could be useful for organizations in the future, giving them peace of mind during the stressful process of shopping for new solutions, the U.S. Department of Health and Human Resources (HSS) “does not contemplate certification of HIPAA compliance, nor does it authorize any third party to provide an “official” certification,” reports this recent article from HealthData Management. This means businesses that tout their products as compliant or certified can do so—but can’t enforce the claim as legally true.
If you see a solution that’s labeled “HIPAA Certified,” you can still consider it as a viable option, just do so carefully. Businesses often use these terms as a simple way to say “we meet all of HIPAA’s rules and regulations in our given field, and we can help you take steps toward full compliance.” But they can’t guarantee their product will make you compliant, and ultimately the responsibility to become and remain compliant rests on you and your organization.
Rob Reinhardt, owner of Tame Your Practice, a company that provides consulting to mental health and wellness professionals, says this of “HIPAA Certified” solutions: “You cannot maintain HIPAA compliance by simply “only purchasing HIPAA compliant stuff.” Only Covered Entities and Business Associates can be compliant. They do so by following all of the requirements of HIPAA and HITECH, which are extensive.” Covered Entities are health care providers, like doctors and psychologists, health plans, like health insurance companies or government plans, or health care clearinghouses. Business Associates are people or businesses that help Covered Entities carry out their daily functions.
Are you shopping for a solution that will support your business processes and bring you one step closer to full HIPAA compliance? To make the search less painful, here are a couple tips we recommend following when vetting potential companies.
1. Read the Fine Print
When you come across a product that is labeled certified or compliant, read the fine print to see exactly what they’re offering you. Make sure they clearly list what they’ll do to help your organization achieve HIPAA compliance, and be wary of any company that hides this information or won’t give it to you. We also recommend you think carefully before purchasing software from a business that’s been declared HIPAA compliant by a third party. Just because someone else says they’re compliant doesn’t mean they are.
2. Ask the Right Questions
Go into the conversation or demo with a list of questions you need answered. Here are a few we recommend to get you started:
- Do you have a clear outline of how your product will help me become HIPAA compliant?
- Do you have a HIPAA compliance checklist I can see?
- How does the product encrypt sensitive data?
- Can it run audit reports of data access and movement?
- What level of expertise does your business have with HIPAA and HITECH?
- Do you have a HIPAA specialist on staff that I could talk to?
In the end, finding a solution that matches your needs shouldn’t be difficult. It should be easy. Just remember: the right solution will help you in your journey to HIPAA compliance, not guarantee it. Only you can do that—by making sure your organization meets all HIPAA regulations.
Looking for a managed file transfer solution that can help your organization meet several key HIPAA and HITECH requirements via a managed, centralized, and auditable environment? Our solution, GoAnywhere MFT, may be right for you.
To learn more, download our white paper, How Managed File Transfer Addresses HIPAA Requirements for ePHI, or view our HIPAA and HITECH solutions brief.