Do You Need To Be HIPAA-Compliant When Selling Medical Supplies Online and Collecting Insurance Information?

The rules of HIPAA-Compliance apply to any business entity when protected health information is involved. For example, when PHI is electronically processed, stored, and managed, the physical, administrative, and technical safeguards of HIPAA compliance must apply. When it comes to selling medical supplies online or collecting insurance information, the same rules apply; if it involves PHI, the entity must be HIPAA-Compliant.

The article will break down these situations, discover when HIPAA-Compliance is needed, and learn if HIPAA applies in all circumstances. Unfortunately, these types of businesses often confuse medical professionals because the distinction between what rules apply is often unclear and difficult to comprehend in some cases.

Do You Need to Be HIPAA-Compliant When Selling Medical Supplies?

Countless online medical supply distributors sell everything you need for a hospital or medical practice. Everyday items include medical equipment such as EKG machines, Ventilators, and Dopplers. They also sell consumables like bandages, facemasks, and everyday medical kits.

Some medical devices fall under HIPAA compliance; however, if the equipment is brand new and straight from the factory, then HIPAA compliance does not apply because the equipment is brand new and has never been in touch with a patient. The complexities arise when medical supplies are traded or resold.

Nearly all medical equipment requires the healthcare professional to log on to the device; the patient’s details are often required, and the equipment may locally store medical imagery, doctor’s notes, and potentially various touch points for protected health information. In addition, the devices usually have an internal memory slot and often hard drives built to save vital information.

Any medical devices that transmit, receive, or record health information need to be HIPAA compliant. In addition, any data saved onto the instrument must do so with the patient’s consent. The required HIPAA-compliant safeguards must involve:

• Privileged Access: Only authorized and privileged should be able to log onto the medical device. Use Multi-Factor Authentication to protect it, and no shared or automated logins. All sessions must be traceable, and users should automatically log off after a few minutes.
• Encryption: All data saved to the medical device must be encrypted to at least AES256 encryption standards. This will protect the data if the hard drive is removed after the medical supplier has sold it. In addition, encrypt all email communications, mainly if the email contains PHI.
• Manage Patient Data: If the medical device is being resold, it is the device owner’s responsibility to ensure that patient data is removed before being sold. If you cannot remove the data, regretfully, the device will need to be professionally destroyed, and a certificate of destruction is required.
• NPI Number: A valid National Provider Identifier (NPI) is needed on all reseller medical devices; covered healthcare providers must use the NPIs in the administrative and financial transactions adopted under HIPAA.
• FDA Approval: Many medical supplies offer specialist equipment containing laser products or other cutting-edge technology. A license is required to sell Class 1 equipment online that can be bought online, but any equipment above Class 3 requires FDA approval.

Do You Need to Be HIPAA-Compliant When Collecting Insurance Information?

The requirements of HIPAA compliance are much clearer when collecting insurance information because if any protected health information is included in the claim, then its imperative to abide by the HIPAA legislation. PHI is any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity and can be linked to a specific individual.

Protected Information includes over 18 identifiers. These include:

• Name
• Address
• Date of Birth
• Specific Dates related to healthcare including birthdate, admission date, discharge date, date of death, and exact age if over 89
• Telephone numbers
• Fax number / Email address
• Social Security Number
• Medical record number
• Health plan beneficiary number
• Account numbers such as Insurance Account details
• Certificate or license number
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Internet Protocol (IP) Address
• Biometrics (fingerprints or optics)
• Photographic image – Photographic images are not limited to pictures of the face.
• Any other characteristic that could uniquely identify the individual

When collecting insurance information, almost all identifiers are used. Therefore, HIPAA compliance must apply.

How to Become HIPAA-Compliant

The best way to uphold the integrity of PHI is to outsource critical IT systems to host your Medical supply business or provide the platform for collecting insurance information. HIPAA regulations are extensive and require significant investment to be achieved. Outsourcing removes the overwhelming majority of these concerns.

To summarize the complexity of becoming HIPAA compliant, here are some of the mandatory and advisory requirements of HIPAA.

• Network layer encryption to NIST cryptographic standards.
• Centrally managed access controls with MFA.
• Identity and authenticate all sources of PHI.
• Encrypt all endpoint devices, including medical devices.
• Detailed activity auditing, such as SEIM
• All touchpoints must feature automated logoff
• The hosting location (data center) requires controlled access measures.
• All user workstations must limit access to health data.
• Mobile devices must restrict access to health data.
• All items must be traceable (inventory)
• A risk assessment is needed to identify weak touchpoints.
• Risk assessment is an ongoing process.
• Train employees on all PHI access protocols.
• Employees must know what can and cannot be shared.
• Achieve ongoing business continuity.
• Test your contingency planning.
• Block unauthorized access.
• Document all security incidents.
• Respond promptly to patient access requests.
• An NPP is required to inform patients of data-sharing policies.

Atlantic.Net is an award-winning HIPAA-compliant hosting provider with over 25 years of experience, providing world-class hosting solutions to leading healthcare clients.

Atlantic.Net operates SSAE 18 SOC 2 and SOC2 audited and certified hosting solutions to meet the advanced IT needs of businesses. In addition, we are proud of our HIPAA-compliant hosting, HITECH, and PCI-ready options.

Contact our sales team today to find out how Atlantic.Net can help your organization meet and exceed HIPAA requirements with a managed or unmanaged hosting solution customized to meet your business’s needs.

Learn more about our HIPAA-compliant web hosting and HIPAA cloud hosting solutions.