The healthcare industry is growing fast, and with it is the sector that specializes in Health Insurance Portability and Accountability Act compliance, a.k.a. HIPAA compliance. This form of compliance is critical for healthcare plans, providers, and clearinghouses: it allows the US Department of Health & Human Services to know businesses are safeguarding patient information. Specifically, HHS verifies that businesses closely interacting with protected health information (PHI) safeguard it in the manners described by the Privacy Rule and the Security Rule of law’s Title II.
One obvious aspect of the field is HIPAA Compliant Hosting and colocation, the direct supply of technological services to healthcare businesses. The IT infrastructure is sufficiently protected and free from liability concerns. However, the HIPAA compliance market – which represents growth opportunities for enterprises new and old – is more diverse than it may first appear.
This article will look at three additional aspects of the HIPAA compliance arena, preceded by a Real World Scenario (RWS) and an explanation of one term used. Our RWS series highlights interactions between our hosting consultants and potential clients to provide readers with specific situations and requests related to compliance IT.
HIPAA compliant physical therapy app
Client: I am in the process of developing an app for physical therapy. It will include 300+ videos, email between therapist and client within the app, and client data tracking. Here is a list of requirements for the server:
- Dedicated server
- Linux OS
- Apache HTTP Server
- PHP installed
- MySQL database installed
- Control Panel.
Please let me know how you can help me.
[Consultant provides Client with Proposal and Business Associate Agreement (BAA).]
What’s a business associate agreement?
A business associate agreement, or BAA, is a contract signed between a healthcare organization and a third party, which is supplying a solution for the organization that will involve patient data. In this arrangement, the healthcare firm is considered a covered entity by HIPAA, and the external party handling data on their behalf is considered a business associate.
HIPAA compliance field subcategory – content creation
One aspect of HIPAA compliance that is developing rapidly alongside the healthcare industry is marketing. Companies that perform marketing services for HIPAA compliance organizations – such as hosting companies like ours – generate marketing collateral, such as articles and videos to showcase expertise.
In the age of “quality original content,” marketing companies are not the only organizations involved in producing collateral. Freelance writers are hired directly in some cases, as are illustrators and graphic artists. Video production companies can specialize in the production of HIPAA compliance pieces as well.
HIPAA compliance field subcategory – software development
Marketers are not the only professionals looking to take advantage of healthcare opportunities. Software developers can also create applications that abide by the parameters of the act. One example is the physical therapy application described above.
Web applications can serve multiple purposes: they can be used internally or to enhance engagement between the business and patients (as with the above app). They are designed specifically as mobile applications in some cases, especially when patients are the primary users.
HIPAA compliance field subcategory – consulting
Consultants are also useful to covered entities at times. These specialists have a narrow focus on the specific needs organizations have related to the law. Possible aspects of business for which a consultant can provide guidance include the following:
- risk analysis/vulnerability assessments
- project management
- contingency planning
- establishment of a compliance officer with general management responsibility for any business components related to HIPAA.
A consultant can review a healthcare facility’s policies and procedures, along with its technological architecture, to determine if anything needs to be updated or reorganized. Some companies use this consultation process to cut HIPAA compliant server costs and general compliance costs: consultants provide information that the company can then use to conduct an audit.
HIPAA compliance field subcategory – auditing
Organizations also can perform complete audits of companies to determine if they are 100% compliant. These audits can be useful both to covered entities and business associates. Covered entities can determine any elements of the business that might be problematic. In contrast, business associates can use an audit to make corrections and establish a third-party verification so clients can trust their system.
Companies that perform audits should be experts on HIPAA generally, but they should especially have a strong understanding of the Security Rule. The three elements of the Security Rule that are of special concern are the following:
- Risk Management Standard
- Audit Controls Standard
- Evaluation Standard.
Finding specialists that deserve your business
Atlantic.Net has been offering compliant healthcare hosting solutions for half a decade, based on technological experience established throughout our 20-year history. Our HIPAA compliant hosting page provides you a roadmap for the extensive HIPAA information available through our site.