Chances are 2020 has brought big changes for your business. With an increasing number of employees working online, more and more communication takes place online and through different tools and apps. Companies who deal with sensitive health information must make sure that the tools they are using HIPAA Compliant. We’re here to make sure your business adheres to the national standards when it comes to protecting the personal health information of clients and employees.
We’ve already covered the most common HIPAA violations in the workplace. In this post, we’ll discuss what HIPAA stands for, and answer your most pressing questions. Is zoom HIPAA compliant 2020? Is Skype? We’ll help your get up privacy practices up to snuff.
- What Does HIPAA Stand For?
- Who Needs HIPAA Compliant Software?
- HIPAA Privacy and Security Rules
- Is Your Software Compliant?
- Software For HIPAA Compliant Telehealth
- Emails and Messages that Comply with HIPAA
HIPAA stands for the Health Insurance Portability and Accountability Act. This 1996 federal law protects the privacy rights of individuals in the U.S. against the disclosure of sensitive and individually-identifiable Protected Health Information (PHI).
HIPAA laws protect PIH such as diagnosis and treatment information, medical test results, prescription information, and billing information. It is important to note that these standards are applicable only to some businesses. HIPAA compliance is important for “covered entities” such as private and public healthcare providers, health insurance companies, and HMOs— as well as any businesses which negotiate with them.
Non-compliance with HIPAA can lead to serious fines. Even small HIPAA violations can cost businesses between $100 and $50,000 per transgression. Given the rising number of high profile HIPAA breaches in previous years, businesses must be careful more careful than ever to make sure they aren’t making avoidable mistakes.
Find out the most common HIPAA violations in the workplace.
HIPAA “covered entities” always need to use HIPAA compliant software, but businesses who work with these entities or collect health information may be unsure of their responsibilities.
There is an easy test: if your device or application shares or will share the user’s personal health data with a covered entity such as a doctor, then you need HIPAA compliant software. If the app does not share information with a covered entity, then the app or device does not have to be HIPAA compliant.
When it comes time for employees to register with workplace-organized health insurance, they should give their information directly to the insurance company. That way, the integrity of their PHI will not be compromised.
In order to be in compliance with HIPAA, businesses carefully evaluate the tools they use to transmit PHI. They should keep in mind the following HIPAA rules
- The HIPAA Security Rule was added to set out what safeguards must be in place to protect electronic PHI (ePHI), which is health information that is held or transferred in electronic form.
- The Privacy Rule allows covered entities to disclose PHI to a Business Associate if they receive assurances that the Business Associate will use the information only in the scope of which it was engaged by the covered entity.
If you using a third party to transmit or host PHI, they are required by law to sign a Business Associates Agreement (BAA). This ensures that adequate administrative, physical, and technical safeguards are in place.
- Breach Notification Notification Rule stipulates the actions that covered entities or business associates must take following a breach of a data breach of PHI or ePHI. The rule protocol differs depending on the size and type of the breach.
To find software that is in compliance with HIPAA, businesses need to have the requirements of the Security Rule in mind. Software that is HIPAA compliant will have technical, physical, and administrative safeguards to protect against unauthorized leaks.
- Administrative Safeguards ensure that the administrators and developers who have access to ePHI act responsibly. This means training employees about the ethical and legal implications of their work. Safeguards may include:
- Information Access Management
- Workforce Training
- Risk Analysis
- Physical Safeguards prevent data breaches by limiting the personnel who have access to the facilities and machines where ePHI is stored. Physical safeguards may include:
- Security Personnel
- Workstation Management
- Facility and Access Control Policies
- Technical Safeguards concern the software and technologies used to protect ePHI. ePHI must be encrypted according to the standards of the National Institute of Standards and Technology so that confidential patient data is unreadable, undecipherable, and unusable. The law does not specify the exact technologies needed but indicates a need for:
- Access Controls
- Integrity Controls
- Audit Controls
- Transmissions Security
Not all software meets these high standards. Some software only need tweaks to meet the criteria. In the following sections, we’ll walk you through the most-commonly-used software and tell you what to avoid.
In the age of COVID, telehealth has become increasingly common. What are the best tools for video conference HIPAA compliance?
- Is Zoom HIPAA compliant? Zoom’s free and regular paid versions are not HIPAA compliant, but it offers a healthcare option for covered entities. In this version, Zoom applies mandatory settings so that while the software transmits PHI, it does not have access to the data. Zoom also authenticates log-ins and encrypts chats.
- What about Skype? The free version of Skype is not HIPAA compliant. Skype for Business Enterprise E3 and E5 packages may be HIPAA as long as the businesses sign a BAA with Microsoft. Business owners should bear in mind that not all of Microsoft’s BAA include Skype.
- Doxy.me is a platform specifically designed to support healthcare providers and as such is HIPAA compliant. It offers HIPAA-compliant forms like a BAA for businesses to sign.
- Video platform Webex can be HIPAA compliant so long as businesses sign a BAA with parent company Cisco.
When sending out sensitive information, HIPAA compliant email is vital for protecting client information and ePHI. What platforms offer the right protection?
- While the free version of G Suite does not comply with HIPAA, the paid version does so long as users review and accept a BAA. G Suite administrators will also have to toggle some settings to make sure the integrity of data is not compromised.
- Slack users will be happy to know that with the implementation of specific controls and a BAA, Slack can also be HIPAA compliant.
- Is Asana a HIPAA-compliant cloud service? No! While Asan offers integrations with tools such as Box, which do comply with HIPAA, Asana itself is not suitable for PHI.
- Dropbox can be HIPAA compliant, as long as the business’s account is correctly configured and a BAA exists.
Finding the Right HIPAA Compliant Tools
This may seem a little complicated but don’t be intimidated! There will be guidelines to follow whether you are sending a HIPAA compliant fax or engaging in compliant texting. Configure your settings, keep a clear audit trail, and keep private information private.
Written by Valerie Slaughter