The healthcare industry is growing fast, and with it is the sector that specializes in Health Insurance Portability and Accountability Act compliance, a.k.a. HIPAA compliance. This form of compliance is critical for healthcare plans, providers, and clearinghouses: it allows the US Department of Health & Human Services to know businesses are safeguarding patient information. Specifically, HHS verifies that businesses closely interacting with protected health information (PHI) safeguard it in the manners described by the Privacy Rule and Security Rule of the law’s Title II.
One obvious aspect of the field is HIPPA Compliant Hosting and colocation, the direct supply of technological services to healthcare businesses, so that the IT infrastructure is sufficiently protected and free from liability concerns. However, the HIPAA compliance market – which represents growth opportunities for enterprises new and old – is more diverse than it may first appear.
This article will look at three additional aspects of the HIPAA compliance arena, preceded by a Real World Scenario (RWS) and an explanation of one term that is used. Our RWS series highlights interactions between our hosting consultants and potential clients, to provide readers with specific situations and requests related to compliance IT.
HIPAA compliant physical therapy app
Client: I am in the process of developing an app for physical therapy. It will include 300+ videos, email between therapist and client within the app, and client data tracking. Here are a list of requirements for the server:
- Dedicated server
- Linux OS
- Apache HTTP Server
- PHP installed
- MySQL database installed
- Control Panel.
Please let me know how you can help me.
[Consultant provides Client with Proposal and Business Associate Agreement (BAA).]
What’s a business associate agreement?
A business associate agreement, or BAA, is a contract signed between a healthcare organization and a third party, the latter of which is supplying a solution for the organization that will involve patient data. In this arrangement, the healthcare firm is considered a covered entity by HIPAA, and the external party handling data on their behalf is considered a business associate.
HIPAA compliance field subcategory – content creation
One aspect of HIPAA compliance that is developing rapidly alongside the healthcare industry is marketing. Companies that perform marketing services for HIPAA compliance organizations – such as hosting companies like ours – generate marketing collateral, such as articles and videos, to showcase expertise.
In the age of “quality original content,” marketing companies are not the only organizations involved in production of collateral. Freelance writers are hired directly in some cases, as are illustrators and graphic artists. Video production companies can specialize in the production of HIPAA compliance pieces as well.
HIPAA compliance field subcategory – software development
Marketers are not the only professionals looking to take advantage of healthcare opportunities. Software developers can also create applications that abide by the parameters of the act. One example is the physical therapy application described above.
Web applications can serve multiple purposes: they can be used by the business internally or to enhance engagement between the business and patients (as with the above app). In some cases they are designed specifically as mobile applications, especially when patients are the primary users.
HIPAA compliance field subcategory – consulting
Consultants are also useful to covered entities at times. These specialists have a narrow focus on the specific needs organizations have related to the law. Possible aspects of business for which a consultant can provide guidance include the following:
- risk analysis/vulnerability assessments
- project management
- contingency planning
- establishment of a compliance officer with general management responsibility for any business components related to HIPAA.
A consultant can review a healthcare facility’s policies and procedures, along with its technological architecture, to determine if anything needs to be updated or reorganized. This consultation process is used by some companies to cut costs: consultants provide information that can then be used by the company to conduct an audit itself.
HIPAA compliance field subcategory – auditing
Organizations also can perform complete audits of companies to determine if they are 100% compliant. These audits can be useful both to covered entities and business associates. Covered entities are able to determine any elements of the business that might be problematic, while business associates can use an audit both to make any corrections and to establish a third-party verification so clients can trust their system.
Companies that perform audits should be experts on HIPAA generally, but they should especially have a strong understanding of the Security Rule. The three elements of the Security Rule that are of special concern are the following:
- Risk Management Standard
- Audit Controls Standard
- Evaluation Standard.
Finding specialists that deserve your business
Atlantic.Net has been offering compliant healthcare solutions for half a decade, based on technological experience established throughout our 20-year history. Our HIPAA Compliant Server page provides you a roadmap for the extensive HIPAA information we have available through our site.