HIPAA Compliance for Software Vendors

Healthcare organizations rely on software to run their businesses. Often when looking for software solutions, healthcare organizations turn to software vendors for assistance. Software vendors that work with healthcare clients are considered to be business associates under HIPAA. Business associates are required to be HIPAA compliant. HIPAA compliance for software vendors is discussed below.

HIPAA Compliance for Software Vendors: Compliance Program

As stated above, software vendors working with healthcare clients are required to be HIPAA compliant. As such, they need to implement a HIPAA compliance program to address HIPAA standards. A HIPAA compliance program is meant to ensure that patients’ protected health information (PHI).

◈ Administrative safeguards: ensure that PHI is used and disclosed in a HIPAA compliant manner. HIPAA requires organizations to adhere to the minimum necessary standard. The minimum necessary standard dictates that organizations use and disclose only the minimum necessary PHI to complete a job function.

◈ Technical safeguards: include implementing security measures such as firewalls, data backup, and disaster recovery.

◈ Physical safeguards: include securing an organization’s physical location with locks, alarm systems, and CCTV cameras.

◈ Self-audits: software vendors must conduct five self-audits annually. Self-audits assess an organization’s safeguards to ensure that they are adequately protecting PHI. 

◈ Gap identification and remediation: conducting self-audits allows for gaps in safeguards to be identified. To be HIPAA complaint, gaps must be addressed with remediation efforts.

◈ Policies and procedures: organizations are required to create custom policies and procedures that apply directly to their business operations. Policies and procedures dictate the proper uses and disclosure of PHI. 

◈ Employee training: employees must be trained annually on their organization’s policies and procedures. Additionally, they must be trained annually on HIPAA standards. 

◈ Business associate agreements: to work with healthcare clients, software vendors must be willing to sign a business associate agreement (BAA). A BAA dictates the safeguards that are required to be in place. A BAA also limits the liability of each signing party, as each party agrees to be HIPAA compliant, and each is responsible for monitoring and maintaining their own compliance.

◈ Incident management: as part of the HIPAA regulation, organizations that experience a breach must report the incident. Depending on the size of the breach, reporting requirements differ.

HIPAA Compliance for Software Vendors: Software Requirements

HIPAA compliant software also has specific security requirements. 

◈ User authentication: HIPAA requires the confidentiality, integrity, and availability of PHI. As such, only authorized users should have access to PHI. User authentication ensures that users are who they appear to be, preventing unauthorized access. Multi-factor Authentication (MFA) is the best way to accomplish user authentication. MFA uses multiple unique login credentials to access data such as a username and password in combination with security questions, one-time PIN, or biometrics.

◈ Access controls: since HIPAA requires organizations and their staff to only access the minimum necessary PHI for a specific purpose, employees must have different levels of access to PHI. This is accomplished through unique login credentials. With unique login credentials, each employee is granted access to only the PHI they need to perform their job roles. 

◈ Audit controls: enabled through the use of unique login credentials, audit controls track access to PHI to ensure that access is in accordance with the minimum necessary standard.