HIPAA-Compliant Accounting Software (Part 2)

How Does HIPAA Compliance Work?

For an organization to become HIPAA-compliant, they must create policies, examine current practices, and implement necessary changes. The Department of HHS’ Office for Civil Rights, the governing body that oversees HIPAA rule enforcement, does not offer any formal designation for an organization that complies with the rules. Rather, compliance is tested through audits and reporting. Only when an organization is found to be out of compliance through an audit or evaluation is formal action taken.

To understand this process in-depth, we need to review the full text of the HIPAA rules.

Here is a high-level overview of steps an organization must take to achieve and maintain HIPAA compliance.

1. Designate HIPAA Privacy and Security Officers These roles can be held by one or more individuals. The persons with these positions should receive formal security officer training and be granted authority within the organization to act on behalf of the company in the interest of maintaining compliance. They are also tasked with creating and implementing the organization’s HIPAA compliance program.
2. Establish Security Safeguards To ensure the security and privacy of PHI handled by your company, your designated HIPAA officers must establish organization-specific privacy and security protocols. These policies should be well-documented, updated, and shared with staff and contractors as part of a regular training program. In fact, HIPAA mandates that staff be trained on HIPAA policies at the time of orientation and at minimum once yearly after that. At the conclusion of their training, they must sign a document asserting they understand the HIPAA policy. There are three types of safeguards that are mandated by HIPAA rules: Administrative Safeguards: These are the security measures that govern how HIPAA policy is administered within the organization. It covers the adoption of security systems, training of personnel, and regular assessment of security measures. Physical Safeguards: These policies dictate how PHI is kept secure within the physical confines of the office or data center. While ePHI is at the greatest risk from hackers, there are still many instances of theft from employees or contractors who can physically access data on-site. Technical Safeguards: These security measures protect ePHI from cyberattacks. Both hardware and software must be audited and controlled to ensure they meet HIPAA network requirements. There must also be procedures established for the proper editing of digital records.
3. Draft a Breach Notification Protocol This protocol ensures that an organization is in a state of readiness to report should a breach occur. HIPAA mandates that the following groups must be notified: Individuals: All individuals whose PHI was compromised must receive notification within 60 days of the incident. Media: When a breach affects more than 500 residents of a state or jurisdiction, organizations are required to notify major media outlets in that region within 60 days of the incident, sharing the same information that was sent to the affected individuals. Secretary of Health and Human Services: The Secretary must be notified of any breaches, regardless of the number of individuals affected. Like media notification, if the breach impacts 500 or more individuals, the Secretary must be notified no later than 60 days following the breach. For breaches affecting fewer than 500 individuals, incidents may be reported annually.
4. Maintain Business Associate Agreements All covered entities must receive satisfactory assurances that business associates are HIPAA-compliant. Business Associate Agreements should be reviewed on an annual basis. When entering into a contract with a business associate, covered entities should outline the details of when and how the business associate is permitted to use protected health information.
5. Keep Complete Records and Conduct Regular Self-audits HIPAA compliance is an ongoing process that is subject to self-reporting and outside audits. Maintaining records is critical to an organization to avoid fines and penalties for falling out of compliance. This applies not only to your internal documents and files but also any systems or software used by employees and associates.

In assessing whether accounting software meets HIPAA standards, you’ll want to determine where the data is stored (servers versus local computers and devices), who has access, and which practices are being used by business associates. Note that organizations are still responsible for PHI that might be vulnerable due to lax passwords or access controls, even if the software itself is encrypted end-to-end.