PDF
version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files.
The reader
is available for free
download.

HIPAA Compliance Software

by Geoff Keston

Copyright 2019,
Faulkner Information Services. All Rights Reserved.

Docid: 00011306

Publication Date: 1905

Report Type: TUTORIAL

Preview

The Health Insurance Portability and Accountability Act
(HIPAA) mandates strong requirements for
the privacy and security of patient records, and additional
requirements mandated by the HITECH
Act intensifies the need for software that meets these rules and
regulations. While software can assist an organization in handling the
personal information of patients, the HIPAA requirements are often
defined in general
terms, so software that promises HIPAA compliance must be
carefully evaluated. There is no substitute
for human
oversight regardless of how helpful compliance software may be.

Report Contents:

• Executive Summary
• Description
• Current View
• Outlook
• Recommendations
• References
• Web Links
• Related
  Reports

Executive Summary

[return to top of this report]

The Health Insurance Portability and Accountability Act
(HIPAA)
is a US
federal regulation that requires hobspitals and other organizations
that store, receive, or transmit patient medical data to maintain
the information’s privacy and security. Effectually, these
requirements have been intensified by the Health Information
Technology for Economic and Clinical Health (HITECH) Act. The
HIPAA Omnibus Rule went into effect in 2013, solidifying
the provisions of the HITECH Act.

Related Faulkner Reports

HIPAA Records Management Tutorial

Developing the Standard Electronic Healthcare Record Tutorial

HIPAA
compliance software is designed to provide organizations with
tools to help manage the process of meeting HIPAA and HITECH
requirements. Sometimes this software is general purpose, with a
“HIPAA/HITECH Compliant” label on it.

Even for the majority of healthcare organizations that have
already implemented compliance programs, software can help
streamline the process of collecting HIPAA-related documentation
and monitoring ongoing compliance. For instance, some
applications automatically monitor the transfer of electronic
records, a feature that can be used to determine whether patient
records and other confidential data are being distributed
according to regulations.

Compliance software can include the following: standards,
policies, auditing tools and outcomes, checklists, incident
tracking, complaints, guidance information, templates, contracts
and business associate agreements, reporting, and training
material. Most products will only include some of these
features, so it may be necessary to use more than one tool. The
widespread availability of Software as a Service (SaaS) is
making HIPAA compliance software widely available.

Even when using multiple products, it is important to remember
that no tool can conclusively determine whether a healthcare
facility is compliant with HIPAA. The regulations are complex,
in many cases allowing more than one solution to a problem, and
even experts debate how to interpret some of the
provisions. Therefore, a knowledgeable compliance officer is
needed to supervise HIPAA compliance efforts. If the officer
determines that commercially available software would aid these
efforts, then such a product may help to streamline an existing
program, but it will not necessarily be a substitute for other
research, monitoring, education, and assessment activities.

Description

[return to top of this report]

The US Congress passed the Health Insurance Portability and
Accountability Act (HIPAA) in 1996, and the law has been
supplemented by rules issued by the US Department of Health and
Human Services (HHS). The purpose of HIPAA is to increase the
security and privacy of patients’ medical records. HIPAA covers
three basic areas: transactions and code sets, privacy, and
security. The Transactions and Code Sets Rule deals with the
electronic standards by which data is transmitted. The Privacy
Rule governs the circumstances under which Protected Health
Information (PHI), that is, personal patient information, can be
disclosed. The Security Rule deals with the electronic
protection of PHI. The portion of HIPAA most familiar to the
general public is the Privacy Rule, as a result of which
patients are routinely asked to sign forms related to the
disclosure of their personal information. HIPAA applies not only to hospitals and doctors’ offices but
also to health insurance companies and other organizations that
store, receive, or transmit electronic medical records.

In 2009 the US Congress passed the Health Information
Technology for Economic and Clinical Health (HITECH) Act, which
has the primary effect of intensifying the penalties for
HIPAA violations caused by a lack of security for the
technological processing of Protected Health Information. HITECH
mandates external, in other words, governmental, auditing of
compliance.

In the same way that there are a number of provisions within
HIPAA, there is a variety of software products designed to help
organizations comply with the provisions of HIPAA. Features that
are often part of these products include the following:

• Auditing Tools and Event Monitoring
  – HIPAA compliance programs cannot be established once and then
  ignored. They require ongoing attention, particularly to staff activity
  that might create security risks. A frequent element of security
  attention is restricted and/or role-based access to Protected Health
  Information. Some applications monitor activity across a network and
  provide security incident tracking reports on relevant information,
  such as who accesses or transmits sensitive documents. Certain tools
  can also be configured to provide alarms when customer-defined actions
  occur and to consolidate audit results for audits. Auditing tools are
  typically the software thought of first when discussing HIPAA
  compliance software. However, they are not the only kind. Reporting is
  an important component of this aspect of HIPAA compliance programs.
• Checklists – Checklists
  itemize HIPAA requirements in a form that allows users to track which
  steps they have completed and which steps remain unfinished.
• Guidance Information – Many
  products include documents that describe policies that can help to
  enforce information security, step-by-step procedures for assessing
  HIPAA compliance, and other educational information. Some products
  offer flowcharts and basic project management utilities to provide
  additional assistance. Past versions of policy documents should also be
  retained, so an audit can determine which policies were in effect when
  a particular transaction occurred.
• Templates – HIPAA requires
  extensive recordkeeping. Many software products include templates for
  HIPAA-related documentation, such as contracts that hospitals can give
  to outside contractors to have them verify the security of their
  software and services.
• Training Material – Staff
  training is required under HITECH. Aids can include manuals and videos
  as well as interactive tools such as computer-based self-assessment
  tests. Some training aids are targeted toward audiences of compliance
  officers and others are targeted toward the medical staff members in a
  hospital or other medical institution, covering policies, procedures,
  and related materials.
• Covered Entities – Business
  associate agreements for the handling of Protected Health Information
  are required by HIPAA and must be tracked. The use of PHI by those
  covered entities must also be tracked. Tracking of contracts not
  directly mandated by HIPAA may also be included in the software.

Current View

[return to top of this report]

HIPAA
requirements cannot be avoided and their
presence today is widely seen – for example, in any visit to a
doctor’s office. Violations are not only expensive, but damaging to a
reputation. For example, in 2018, insurance provider Anthem settled
with the US government for $16 million because personal medical data it
maintained was compromised in a hacker attack.¹

HIPAA regulations and rules in general do not provide an
absolute set of requirements to be followed. Instead, a standard
of “reasonableness” is employed, requiring “appropriate
administrative, technical, and physical safeguards” for Protected Health Information. One implication is that
non-technical protection of individual health information can be
as important as technical protection. Another implication is
that it is not feasible for a single software product to address
all HIPAA requirements. In fact, most HIPAA compliance products focus on only a
relatively small number of provisions. The majority of
HIPAA-focused compliance applications are small to mid-tier
products offered by independent software vendors. The larger
products on the market include compliance and security tools for
other regulations in addition to HIPAA.

Some of the notable products that specifically aim to help with HIPAA
compliance include the following:

• Accumedic Behavioral Health EHR
• Adroit Infosystems eHospital Systems
• AdvancedMD HIPAA One 
• CureMD’s Practice Management Software
• ManageEngine EventLog Analyzer
• TrueVault Safe and Atlas

Some
products that are labeled as HIPAA compliance tools are
actually general security products without customized features
specifically related to healthcare. Others are essentially
collections of templates and/or guidelines. Although
general products such as firewalls are an important part of
overall security and therefore of HIPAA compliance, these
products may or may not include features related to
HIPAA-specific issues such as the disclosure of patient
information. Furthermore, because of the “reasonable,” rather
than specific, standards of many HIPAA rules, a statement such
as “one hundred percent HIPAA compliant” must be viewed as
suggestive rather than absolute. Therefore, the features of
software packages must be carefully examined. The label
“HIPAA
compliance software,” which vendors give themselves, may mean nothing
more to a particular vendor than the secure storage of data or
the correct electronic protocols for the transmission of data.

Software as a Service (SaaS), or the outsourcing or insourcing
of functions, ordinarily using the Internet, has added a new
dimension to HIPAA compliance software, with many vendors
offering an off-site and an on-site solution.

Outlook

[return to top of this report]

Software focused on HIPAA compliance has become a solid niche
market, with even larger dimensions when combined with software
for Sarbanes-Oxley compliance, and still larger dimensions with
the HITECH Act and its related penalties. The
enormous spread of mobile devices, including tablets and phones,
as well as wearable devices like monitoring equipment, has added
to the challenges of HIPAA compliance and has opened new
development in compliance software. 

HIPAA regulations and rules do not lend themselves to being
checked by automated, computer-based tools or to being entirely
managed by a single, one-size-fits-all record keeping database.
Therefore, software developers are unlikely to create
HIPAA-focused enterprise-scale applications. Since HIPAA
compliance is now a familiar fact of business life, demand does
not exist to generate significantly larger sales volumes for the
types of software that are already on the market. Instead, the
market appears likely to remain in much the same condition it is
in now, that is, split between specialized software packages
that are dedicated to a narrow aspect of HIPAA compliance and
mid-tier applications that include HIPAA compliance
functionality with additional compliance tools that may be of
little, if any, use to healthcare facilities.

There are no products on the market, nor are there likely to
be
any in the foreseeable future, that can with absolute
reliability determine whether an organization is compliant with
HIPAA or even with a particular element of it, because of the
nature of the HIPAA regulations and rules themselves. Even an
approach that uses several different products may have gaps that
need to be filled.

Regardless of how they are marketed, the main benefit that can
be achieved with HIPAA compliance products on the market today
is improved efficiency. The templates, checklists, and similar
tools these products offer can boost efficiency by streamlining
document creation and making current programs more systematic,
better organized, and more manageable.

Recommendations

[return to top of this report]

Healthcare organizations can frequently benefit from HIPAA
compliance software, and risk serious penalties under HITECH if
they are not compliant. HIPAA compliance products are relatively
inexpensive, depending on the size of the organization. Some
cost as little as a thousand dollars and they are frequently
easier to install and learn to use than are enterprise
applications. Consequently, the software may have little impact
on a facility’s budget and will only minimally disrupt its
operations.

However, organizations affected by HIPAA should always
remember
that the checklists, documents, and other guides that HIPAA
compliance software provides are based on the interpretations of
the companies that make them, and that experienced HIPAA
consultants may sometimes argue among themselves about how to
interpret elements of the regulations. Even tools that monitor
network activity in real time and provide alarms when
pre-defined events occur cannot determine definitively whether a
particular action is HIPAA compliant – such a determination
requires a person to interpret why the action was taken and what
its impact is.

Consequently, facilities should not put the wrong kind of
trust
in such software, regardless of claims to be “one hundred
percent HIPAA compliant.” In particular, facilities should not
assume that any software will enable them to ensure compliance
without additional effort and without knowledge of the
regulation beyond that provided by the software.

Another way of making this point is to say that software
should
not be the sole, or even primary, source of compliance
information and activity. Instead, organizations should have a
compliance program run by a person familiar with HIPAA; if
this coordinator judges that software would be helpful, such a
tool should be used primarily as an aid for timesaving and
record keeping. Rather than relying solely on software, the
compliance coordinator should research HIPAA using a variety of
sources, including magazine articles, seminars, advice from
colleagues at other hospitals, and, if necessary, a third-party
consultant.

One helpful tool is the Manufacturer Disclosure Statement for
Medical Device Security (MDS²), which was
created by
the healthcare industry group called the Healthcare
Information and Management Systems Society (HIMSS) in 2008 and
updated in 2013. The MDS² is a standard form
that
medical device manufacturers complete to provide potential
customers with information about their products related to
the security of electronic patient information. Potential
customers do not necessarily need to eliminate from
consideration any manufacturer that has not completed this form
for a product under consideration, but if available, an MDS²
can be a valuable decision making tool.

Another useful
aid is the Security Risk Assessment (SRA) Tool, offered by the HHS
Office of the National Coordinator for Health Information Technology
and the HHS Office for Civil Rights. It is designed for small and
mid-sized healthcare companies. The most recent version of the tool,
released in October 2018, includes changes to the user interface and
enhancements to the reporting functionality.²

When evaluating HIPAA compliance software, healthcare
facilities should consider the following:

• The clarity of its reporting tools.
  HIPAA-related software cannot decisively tell a healthcare facility
  whether it is compliant. Instead, the information in the reports that
  the software provides must be reviewed and interpreted by staff who
  have an understanding of the organization and HIPAA. Features such as
  graphical displays and searchable data can help compliance officers to
  more effectively sort through data and identify potential problem
  areas, but can never replace human evaluation.
• HIPAA-specific information and tools.
  Some tools that are marketed as HIPAA compliance products are general
  purpose products that have limited HIPAA-specific functionality. Some
  of these tools are worth considering for purchase. For instance, such a
  product may assist hospitals in meeting some of the other
  regulations and laws to which they are subject, such as those from the
  Joint Commission on Accreditation of Healthcare Organizations of the US
  Occupational Safety & Health Administration. It is important,
  however, to ensure that an organization that buys such a tool just for
  HIPAA is not paying for unnecessary features and that it will be
  effective in aiding the organization’s HIPAA compliance efforts.
• Scalability. Some products are
  designed with small to mid-sized doctor’s offices in mind and would
  therefore be ineffective for large hospitals. Networking capabilities
  will be important for multi-facility hospital systems.

Organizations that evaluate HIPAA compliance software and
determine that it will not aid their current efforts can achieve
compliance without purchasing HIPAA-specific software. Such
products are not mandatory, and many HIPAA best practices are
also best practices in a more general sense. In some cases an
effective training program may be as useful as a software
purchase. It should be noted that there is no official “HIPAA
compliance” certification. Offers to provide such a credential
should be skeptically received.

Also, healthcare facilities should bear in mind that being
HIPAA compliant does not necessarily mean being secure. It is
possible to meet all the regulation’s provisions and still have
security vulnerabilities or policies that are not optimally
effective, potentially leading to HITECH sanctions. Therefore,
although it is important to include IT personnel in HIPAA
compliance programs, the IT department and HIPAA compliance team
should be kept functionally distinct, each with its own charter
and leadership.

References

[return to top of this report]

¹ Morgan
Haefner. “Anthem’s $16M HIPAA Settlement Largest in History.”
Becker’s Health IT
& CIO Report. October 16, 2018.

² "ONC and OCR Bolster the Security Risk Assessment (SRA) Tool with New Features and Improved Functionality.”
ONC. October 16, 2018.

Web Links

[return to top of this report]

• Accumedic: https://www.accumedic.com/
• Adroit Infosystems: https://www.adroitinfosystems.com/
• Advanced MD: https://www.advancedmd.com/
• Centers for Medicare & Medicaid Services HIPAA
  Site: https://www.cms.gov/
• Healthcare Information and Management Systems Society: http://www.himss.org/
• Joint Commission on Accreditation of Healthcare
  Organizations: http://www.jointcommission.org/
• ManageEngine: https://www.manageengine.com/
  Occupational Safety & Health Administration: http://www.osha.gov/
• Security Risk Assessment Tool: https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool
• TrueVault: https://www.truevault.com/
• US Department of Health and Human Services: http://www.hhs.gov/

About the Author

[return to top of this report]

Geoff Keston is the author of
more
than 250 articles that help organizations find opportunities in
business trends and
technology. He also works directly with clients to develop
communications strategies that improve processes and customer
relationships. Mr. Keston has worked as a project manager for a major
technology consulting and services company and is a Microsoft Certified
Systems Engineer and a Certified Novell Administrator.

[return to top of this report]