HIPAA compliance for accountants

Accountants may encounter protected health information (PHI) when providing services to covered entities, such as healthcare providers, health plans, or healthcare clearinghouses, or when working with business associates of these entities. In these cases, accounts will need to comply with the HIPAA privacy and security rules.

Accountants and HIPAA obligations

An accountant typically encounters PHI and HIPAA obligations in the following situations:

1. Medical billing and reimbursements: Accountants may handle patient billing information, insurance claims, and reimbursement data while assisting healthcare providers or health plans in managing their financial operations.
2. Financial audits and reviews: When performing financial audits or reviews for covered entities, accountants may come across PHI in the form of invoices, payment records, or insurance-related documents.
3. Tax preparation and advisory services: While preparing tax returns for healthcare providers, accountants might encounter PHI in the form of revenue data, expense reports, or financial statements that contain information about patients and their medical treatments.
4. Financial planning and analysis: Accountants engaged in financial planning, budgeting, or analysis for covered entities may work with data that includes PHI, such as patient demographic information or service utilization data.
5. Payroll services: If an accounting firm manages payroll services for a healthcare provider, they may handle employee health insurance and benefits data, which could include PHI.
6. Mergers and acquisitions: When advising on or facilitating mergers and acquisitions involving healthcare providers or covered entities, accountants may need to review financial documents and other records containing PHI.

In these situations, accountants must sign business associate agreements (BAAs) with the covered entity or business associate and adhere to HIPAA privacy and security rules. This includes implementing safeguards to protect PHI, using HIPAA compliant email, reporting breaches, and maintaining compliance with HIPAA regulations.

Accounting software and HIPAA compliance

Accountants must assess their accounting software for handling and storing PHI to ensure HIPAA compliance. 

Key factors to evaluate include:

1. Data encryption: Verify that the software encrypts PHI at rest and in transit, protecting it from unauthorized access.
2. Access controls: Ensure the software has robust user authorization and permission settings to limit access to PHI.
3. Audit trails: Confirm that the software maintains detailed logs of user actions, including access and modifications to PHI.
4. Data storage location: Check whether the software stores data in a secure environment and assess the security standards of any third-party data centers used.

Related: HIPAA's transmission security requirement: Use encrypted email for compliance 

Addressing Non-compliant accounting software

If non-compliant accounting software is identified, accountants should take appropriate measures to mitigate risks:

• Upgrade or replace non-compliant software with HIPAA-compliant alternatives.
• Restrict non-compliant software use for PHI-related tasks and limit access to authorized personnel.
• Implement additional security measures, such as secure data backups and network monitoring, to supplement the software's existing features.

Evaluating HIPAA compliant accounting software

When choosing HIPAA-compliant accounting software, accountants should consider the following aspects:

• Vendor's commitment to compliance: Assess whether the vendor actively maintains and updates its software to stay compliant with evolving regulations.
• Integration capabilities: Ensure the software can be easily integrated with other systems used by the accounting firm, minimizing data transfer risks.
• Customization options: Look for software with customization features to tailor security settings and workflows to the firm's needs.
• Customer support: Confirm that the vendor provides responsive and knowledgeable customer support to address compliance-related concerns or technical issues.
• Business associate agreement: The most crucial aspect is whether the vendor will sign a BAA. Without a BAA, the software is not considered HIPAA compliant.

Maintaining ongoing compliance

HIPAA compliance is an ongoing process, and accountants should periodically review their firm's policies and active software solutions to ensure they continue to meet the required standards. Regular software updates, employee training, and compliance audits are essential to maintaining a secure environment for PHI.

By identifying and addressing non-compliant software, selecting suitable HIPAA-compliant alternatives, and implementing a comprehensive compliance program, accountants can safeguard client information and avoid penalties associated with non-compliance.