When searching for a new software solution to meet your organization’s needs, it’s easy to see the labels “HIPAA-Certified” or “HIPAA Compliant” and believe your bases are covered. After all, “HIPAA-Certified” means the product or application follows HIPAA’s privacy rules and has everything in place to protect your health and patient information, right?
Unfortunately, no.
While such a badge or certification could be useful for healthcare organizations in the future (and give them peace of mind during the involved process of researching and shopping for new solutions), the U.S. Department of Health and Human Resources (HSS) does not test, validate, or certify software solutions for HIPAA compliance.
Businesses that offer solutions that help organizations meet HIPAA requirements can certainly tout their products as compliant or certified but cannot enforce the claim as legally true.
Why Does HIPAA Compliance Matter?
From a high level, HIPAA (Health Insurance Portability and Accountability Act) outlines the appropriate ways to use and disclose individuals’ health information. HIPAA, which was signed into federal law in 1996, has helped organizations adhere to the strict regulations and frequent regulatory changes present in healthcare, and has also facilitated the creation of national standards to protect sensitive patient information, including from unwanted or inadvertent disclosure.
In terms of file sharing and transfer, HIPAA requires secure channels of communication between any Covered Entities and Business Associates, alongside patient permission.
- Covered Entities are healthcare providers, including doctors and psychologists, health plans, health insurance companies, government plans, or healthcare clearinghouses.
- Business Associates are people or businesses that help Covered Entities carry out their daily function.
These two groups must both obtain permission to purposely share patient data with other parties and must also take steps to limit data exposure both in the normal course of daily activity, and from data breaches.
Related Reading: 8 Ways to Protect Your Healthcare Organization from a Data Breach
What is HIPAA Certification?
HIPAA certification is gained by organizations that participate in educational courses or training designed to teach staff how to uphold HIPAA compliant processes. While HIPAA-certified organizations have more information in their arsenal, they are not necessarily HIPAA compliant. Both organizations as a whole and individual staff members can gain HIPAA certification.
How to Become HIPAA Compliant
HIPAA compliance is an ongoing process your organization must undertake day-to-day. “You cannot maintain HIPAA compliance by simply ‘only purchasing HIPAA compliant stuff.’ Only Covered Entities and Business Associates can be compliant. They do so by following all of the requirements of HIPAA and HITECH, which are extensive,” says Rob Reinhardt, CEO of Tame Your Practice, a company that provides consulting to mental health and wellness professionals, about HIPAA Certified solutions.
Get the Datasheet: HIPAA & HITECH Security Requirements for Healthcare Records
Finding HIPAA-Certified Security Solutions
So, how can you vet software solutions for HIPAA and HITECH compliance? Here are four essential steps you can take to ensure the products you’re considering will boost your organization’s data security and help you achieve or uphold HIPAA compliance:
1. Read the Fine Print
When you come across a product that is labeled certified or compliant, read the fine print to see exactly what they’re offering you. Make sure they clearly list what they’ll do to assist your organization in achieving HIPAA compliance, and be wary of any company that hides this information or won’t give it to you. We also recommend you think carefully before purchasing software from a business that’s been declared HIPAA compliant by a third party; just because someone else says they’re compliant doesn’t mean they are.
2. Consider the Features You Need
Finding the right way to boost your security policies and mitigation strategies can be a long process. There are many solutions available that encrypt data, limit user access, audit file movements, and overall improve your file storage and movement security, but finding the right one can be overwhelming.
Consider the problems you’re trying to solve, and the features that can answer them. Some common healthcare-related needs include:
- Identification and access management
- Security and integrity monitoring
- Virus protection
- Detailed audit logs
If these features look familiar, a managed file transfer (MFT) solution could be for you.
3. Ensure Your Data Transfers are Secure
One of the essential goals of HIPAA is to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). Switching from FTP for your HIPAA data transfers to more secure options like SFTP, FTPS, or Open PGP can also help ensure your processes meet HIPAA standards. Look for a solution that puts your file security at the forefront by:
- Centralizing file transfer processes within your organization
- Automating workflows to reduce human error inherent in manual processes
- Monitoring file transfer processes, including who is accessing the files and whether they are successfully delivered
- Encrypting files
- Enabling protection beyond your firewall by using an enhanced reverse proxy in the DMZ
A solution that keeps data integrity and access top-of-mind helps you meet the essential tenets of HIPAA and avoid breaches and associated penalties.
4. Ask the Right Questions
Go into the conversation or demo with a list of questions you need answered. Here are a few we recommend to get you started:
- Do you have a clear outline of how your product will help me become HIPAA compliant?
- Do you have a HIPAA compliance checklist I can see?
- How does the product encrypt sensitive data?
- Can it run audit reports of data access and movement?
- What level of expertise does your business have with HIPAA and HITECH?
- Do you have a HIPAA specialist on staff that I could talk to?
In Conclusion: Finding and Using HIPAA-Certified and Compliant Solutions
If you see a solution labelled “HIPAA-Certified” or “HIPAA Compliant,” you can still consider it a viable option – but do so carefully. Businesses often use these terms as a way to say: we meet all of HIPAA’s rules and regulations in our given field, and we can help you take steps toward full compliance.
However, businesses cannot guarantee their product will make you compliant. The ultimate responsibility for becoming and remaining HIPAA compliant rests on you and your organization.
In the end, finding a solution that matches your needs shouldn’t be difficult. It should be easy. Remember: the right solution will help you in your journey to HIPAA compliance, not guarantee it. Only you can do that—by making sure your organization meets all HIPAA regulations.
See how a managed file transfer solution can help you meet HIPAA compliance requirements and simplify your electronic data transfers in our guide, How MFT Addresses HIPAA Requirements for ePHI.