Paubox blog: HIPAA compliant email made easy

Can software be partially HIPAA compliant?

Written by Kirsten Peremore | May 23, 2023

Software helps healthcare providers meet the rigorous standards of HIPAA compliance. For software to be considered HIPAA compliant, it must comply with the requirements for safeguarding the security and privacy of protected health information(PHI). However, a key question arises: Can software partially or substantially meet these requirements while maintaining its HIPAA compliance status? 

In short, there's no partially compliant software. Any software that handles PHI must be fully HIPAA compliant and be willing to sign a business associates agreement. 

 

The importance of a business associates agreement

There are two main categories of organizations that must adhere to HIPAA compliance standards:

  • Covered entities: These encompass healthcare organizations such as doctors, clinics, healthcare plan providers, and clearinghouses.
  • Business associates: These are service providers who collaborate with covered entities. When the services they offer involve accessing protected health information (PHI) controlled by covered entities, business associates must be HIPAA compliant.

Software providers are considered business associates when they access the PHI held by the covered entity. A business associate agreement (BAA) must be in place between the covered entity and the software provider to ensure compliance, specifying the PHI they can access. 

 

What is HIPAA compliance?

The Omnibus Rule establishes the requirement for business associates to be HIPAA compliant and emphasizes the need for a Business Associate Agreement (BAA). 

HIPAA compliance is outlined in the Privacy and Security Rules. The Privacy Rule governs the permissible uses and disclosures of protected health information (PHI). In contrast, the Security Rule establishes standards for protecting electronic PHI at rest, during processing, and in transit. This involves implementing technical, administrative, and physical safeguards. 

All these safeguards and requirements must be in place for compliance to be met. It is not possible to select those which are most preferable. 

These safeguards are categorized as follows:

  • Required: These safeguards must be implemented to ensure HIPAA compliance. Examples include conducting risk assessments and implementing risk management policies (Administrative safeguard).
  • Addressable: These safeguards are determined to be appropriate based on the organization's size and risk assessment. For instance, implementing access controls (Physical safeguard) or ensuring PC logoffs (Technical safeguard) are examples of addressable safeguards.

 

HIPAA compliance and HIPAA compliant software

Covered entities frequently rely on software like The Guard as a framework to achieve and maintain HIPAA compliance. This HIPAA compliance software can assist in various functions, including security risk assessments or ensuring overall compliance assurance. Software does not need to be inherently compliant unless it handles protected health information (PHI) controlled by the organization.

On the other hand, HIPAA compliant software, like HIPAA compliant email, is specifically designed with the security and privacy safeguards outlined by HIPAA. This may include features such as secure email encryption solutions for sharing PHI, such as Paubox and TherapyNotes, or secure storage services, such as Google Cloud Drive. By utilizing this software, covered entities can enhance their ability to safeguard PHI and comply with HIPAA requirements.

Differentiating between these two phrases enables organizations to accurately choose the appropriate software service for their needs.

 

How is HIPAA compliance proven?

While there is no official HIPAA compliance certification recognized by the Office for Civil Rights (OCR), organizations can demonstrate compliance through various methods.

  • Policies and procedures: Implementing comprehensive policies and procedures enables entities to meet the requirements outlined in HIPAA regulations. These policies establish guidelines for the protection of sensitive health information.
  • Self-assessments or third-party audits: Conducting self-assessments or engaging third-party auditors demonstrates a commitment to compliance. These assessments help identify vulnerabilities and address potential threats to compliance.
  • HIPAA compliant software: Utilizing software designed to meet HIPAA requirements, including encryption and secure transmission, ensures that specific compliance standards are met.

By employing these approaches, organizations can establish their commitment to HIPAA compliance and provide evidence of their efforts to safeguard protected health information.

 

Holistic commitment to HIPAA compliance

HIPAA compliance is crucial for both software and covered entities. The right software acts as a security measure for protecting sensitive patient data, making it essential to ensure PHI's security and integrity. Partial compliance is not possible, as any shortcomings in the software could compromise the covered entity's ability to safeguard PHI effectively and lead to non-compliance.

See more: Does law firm software need to be HIPAA compliant?