Your Essential Guide to HIPAA Compliance: A Checklist for Vendors

Posted on May 11, 2020 - by Justin Gratto - in Building Your InfoSec Program

hipaa compliance guide for BAA

If your business is looking to expand into the healthcare sector (or has customers who are doing so), you know how quickly questions about HIPAA compliance start to come up.

Many service providers and tech vendors reach this point and begin considering how their business can become a HIPAA-compliant business associate. If you’re in that phase researching the requirements and building your information security program, we have all the information you’ll need and a checklist to start moving your business toward HIPAA compliance.

What is HIPAA?

It’s always best to start by defining the basics: HIPAA is an acronym that stands for Health Insurance Portability and Accountability Act. The Health Insurance Portability and Accountability Act is an act that governs United States healthcare and health insurance providers, as well as other “covered entities” as it relates to all “protected health information” (PHI).

HIPAA regulates how health insurers and healthcare providers in the U.S. collect, protect, and share patient information. It is federal legislation that sets the minimum standard of health data privacy compliance across all states. However, state legislatures can adopt even more protective rules than HIPAA, raising the compliance bar higher for protecting health information in those states.

What is HIPAA compliance?

When people refer to “HIPAA Compliance” concerning third-party vendors, such as SaaS vendors and tech providers, they are talking about fulfilling the requirements of the Security and Privacy Rules as defined by HIPAA.

So, how do you get started towards HIPAA compliance?

Often our customers come to us asking about HIPAA compliance because a prospect asked them if they were HIPAA compliant. They may not have a good answer to that question. After an exchange like that, they ask us the question: “What is HIPAA compliance and how do I get started?”

If you are a vendor that provides SaaS-based service or software, you want to begin by understanding the Security and Privacy Rules mean to your business.

What are the HIPAA Security and Privacy Rules?

HIPAA Security Rule

The HIPAA Security Rule comprises three pillars of safeguards that encompass the necessary controls and procedures prescribed in HIPAA.
These pillars are:

  • Technical Safeguards
  • Physical Safeguards
  • Administrative Safeguards

Technical Safeguards are the technical security configurations, controls, and infrastructure in place that identify, protect, detect, respond, and recover from incidents that could affect the confidentiality, integrity, or availability of ePHI (electronic PHI). An example of a Technical Safeguard is end-to-end encryption of ePHI in transit.

Physical Safeguards are the physical security controls, infrastructure, and measures in place to protect and detect unauthorized physical access of PHI or ePHI. One example of a Physical Safeguard is Role-Based Access Control or “RBAC”, which you must enforce in the data centers that store ePHI. You must implement RBAC for systems and employees accessing ePHI. The role must include ePHI access as a requirement for the role.

Administrative Safeguards are the administrative security policies, procedures, and workflows that are compulsory for the assurance of confidentiality, integrity, and availability of ePHI. An example of an administrative safeguard is a Business Continuity and Disaster Recovery Plan.

HIPAA Privacy Rule

The HIPAA Privacy Rule lays out the rules related to the use, disclosure, and procedural or operational safeguards of PHI. The Privacy Rule also defines the patient’s or PHI subject’s rights under HIPAA.

Some of the requirements laid out in the Privacy Rule include the following:
Having a privacy policy that covers the use, disclosure, rights of the PHI data subjects, access to PHI, and denial of access to PHI.
You need a publicly available “Notice of Privacy Practices” that clearly describes topics like what your company does with PHI and how you protect it.

Business associates must also appoint a compliance or privacy officer that will be responsible for HIPAA compliance in the organization and any complaints received.

Of course, there is much more to both the Security and Privacy rules in the details and fine print, but this overview gives you a sense of what you’ll need to do. (Scroll down if you want to get our complete HIPAA Compliance Checklist.)

Who needs to be compliant under HIPAA regulations?

HIPAA compliance primarily applies to organizations that fall under the term “covered entity.” Organizations that fall under the category of a covered entity by HIPAA standards include the healthcare providers, health plans, and healthcare clearinghouses.

So how does this apply to your business then, if it isn’t actually in the healthcare industry?

HIPAA also requires “business associates” to meet the requirements of the Security Rule and Privacy Rule of HIPAA. A business associate may also have additional contractual obligations relating to HIPAA Compliance as laid out in a Business Associate Agreement or “BAA.”

Healthcare Providers consist of doctors, clinics, hospitals, continuing care facilities (nursing homes), and any specialists practicing medicine that an insurer would cover the cost.

Health Plans consist of health insurance companies, HMOs, private-sector group health plans, and public sector group health plans.

Healthcare Clearinghouses are service providers that process insurance claims and check for errors, acting as an intermediary between an insurer and a provider. These entities handle ePHI in many forms; therefore, they belong to the category of covered entities.

Business Associates are a third-party to a covered entity that provides some service, but is not a part of the core workforce of the covered entity. This can include vendors, software providers, or other services that a covered entity might need to obtain.

What are some examples of a business associate?

  • A third-party accounting firm that provides its services to a healthcare provider and accesses PHI (claims) to perform their role.
  • A third-party SaaS vendor that a healthcare provider uses its software to process ePHI. This could be in any way, such as a CRM that has personal contact information (even if it does not contain medical records).
  • A consultant requiring access to PHI during their engagement, for any purpose.

What is HITECH?

HITECH is an acronym for Health Information Technology for Economic and Clinical Health Act. HITECH is an act that passed in 2009 and began enforcement in 2013. The better question is, “Why does HITECH exist?”

HIPAA is an act that has been around since 1996. It was not a perfect piece of legislation and could certainly not foresee the changes to technology and the benefits of cloud-based software. After so many years, HIPAA needed an update that specifically addressed some of its weaker points. Some of the key additions in HITECH that updated HIPAA were the following:

  • Modernize the Security and Privacy Rules
  • Enforcement Rules to ensure enforcement
  • Breach notification requirements
  • Making business associates liable for Security and Privacy.

Does HIPAA apply outside the U.S.?

Not exactly. But if you want to sell software to a covered entity that is in the U.S., depending on the nature of the data the software uses, you may be put in the situation as a business associate. The covered entity would require you to sign a legally-binding BAA, which is an extraterritorial contract.

What are the consequences of non-compliance under HIPAA?

For covered entities, HIPAA violations depend on the degree of malintent or negligence. Penalties can range from fines to incarceration for extreme cases like identity theft or fraud.

For business associates, depending on the circumstances, they can be liable for any violations that they are responsible for under HIPAA.

Taking Your First Steps Toward HIPAA Compliance

With a gap analysis, you can discover what additions or changes you need to make to meet the HIPAA-specific requirements. If you already have a security and privacy program, adhering to a framework such as SOC 2, you’re already a step towards operating as a “business associate” to the healthcare industry. You’ll find more gaps between your business and HIPAA compliance requirements if you don’t have a robust security and privacy program.

This also helps you understand the tasks ahead of you, what projects you can start working on immediately, and what areas you might need to get outside assistance. If you’re using the Securicy app (which you can try free), that will automatically generate custom policies, procedures, designate key officers, and track your progress toward compliance.

However, you decide to build and track your security and privacy program, HIPAA compliance can feel like an overwhelming project. One easy thing you can do to get start now? Check out our free HIPAA compliance checklist.

Get the HIPAA Compliance Checklist for Business Associates

About the author

Justin Gratto is a Canadian Army veteran, experienced information security professional, and the Senior Director of Product at Securicy. Justin is accountable for product ownership at Securicy, a SaaS platform that assists businesses through creating, implementing, and managing their information security and privacy compliance program. He leads the customer success team, coordinates advisory service delivery, and holds the responsibility of Security and Privacy Officer at Securicy. When Justin isn’t performing his duties at Securicy, he likes to go on adventures to new places to visit, learn about, and taste different cultures. He is from Nova Scotia, Canada.