Healthcare providers and their business associates who handle identifiable protected health information (PHI) have both an ethical imperative as well as a legal mandate to ensure the privacy and security of this data.
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that establishes requirements for the protection of patient health information from unauthorized use and disclosure without patient consent.
Do you know if your accounting software is HIPAA-compliant? Did you even know that it’s supposed to be?
Let’s look at what HIPAA rules mean for healthcare accounting software, which entities need to meet compliance requirements, and how organizations become HIPAA-compliant.
How Does HIPAA Apply to Accounting Software?
Passed in 1996, HIPAA has grown from its beginnings as a way to make health insurance more portable for people changing jobs to a set of regulations that govern the privacy and protection of sensitive patient information.
HIPAA applies to both covered entities (for example, healthcare providers and insurers) and their business associates (any organization that must access PHI in the course of their business operations, such as vendors who provide billing, accounting or legal services to covered entities). If an accounting software system used by a covered entity contains identifiable protected health information, such as patients’ names and contact information within detailed Accounts Receivable data, then it is subject to HIPAA rules.).
The following HIPAA rules apply to accounting software compliance.
HIPAA Privacy Rule
This rule mandates the protection of individually identifiable health information. Identifying data includes name, phone number, address, social security number, or any other personally identifiable details. Medical information covered by this rule includes mental or physical diagnosis, medical treatments, or payment history.
The HIPAA Privacy Rule dictates the use of patient data by healthcare providers and to whom they can disclose this information without explicit patient permission.
HIPAA Security Rule
This rule sets standards for how organizations secure electronic protected health information (ePHI). The safeguards required include administrative (policies and procedures for maintaining security), physical (controlled access), and technical (cybersecurity) safeguards. We’ll examine these safeguard designations more closely in a subsequent section. All security measures must be documented.
HIPAA Breach Notification Rule
As the battle between the cybersecurity industry and hackers wages on, it’s clear that having contingency plans in place is wise. That thinking is what brought about this rule. No data system is 100% secure.
The Breach Notification Rule defines when and how to notify patients in the instance of a breach of unsecured PHI to limit damages.
Components of the Breach Notification plan include notifying affected parties as well as submitting public disclosure about the breach to new outlets. Data breach notification must take place within 60 days of the event.
HIPAA Omnibus Rule
Enacted in 2013, the Omnibus Rule addresses the role of business associates. These are organizations or people who perform services that require access to PHI. Business associates include organizations that provide services in categories such as:
- Accounting
- Actuarial
- Consulting
- Data Aggregation
- Financial
- Legal
- Management/Administrative
How Does HIPAA Compliance Work?
For an organization to become HIPAA-compliant they must undergo a process during which they create policies, examine current practices, and implement necessary changes.
The Department of Health and Human Services’ Office for Civil Rights, which is the governing body that oversees HIPAA rule enforcement, does not offer any formal designation for an organization that complies with the rules. Rather, compliance is tested through audits and reporting. Only when an organization is found to be out of compliance through an audit or evaluation is formal action taken.
To understand this process in-depth, it is important to review the full text of the HIPAA rules.
The following is a high-level overview of steps an organization must take to achieve and maintain HIPAA compliance.
1. Designate HIPAA Privacy and Security Officers
These roles can be held by one or more individuals. The persons holding these positions should receive formal security officer training and be granted authority within the organization to act on behalf of the company in the interest of maintaining compliance. They are also tasked with creating and implementing the organization’s HIPAA compliance program.
2. Establish Security Safeguards
To ensure the security and privacy of PHI handled by your company, your designated HIPAA officers must establish organization-specific privacy and security protocols. These policies should be well-documented, updated as needed, and shared with staff and contractors as part of a regular training program. In fact, HIPAA mandates that staff be trained on HIPAA policies at the time of orientation and at minimum once yearly after that. At the conclusion of their training, they must sign a document asserting they understand the HIPAA policy.
There are three types of safeguards that are mandated by HIPAA rules:
- Administrative Safeguards: These are the security measures that govern how HIPAA policy is administered within the organization. It covers the adoption of security systems, training of personnel, and regular assessment of security measures.
- Physical Safeguards: These policies dictate how PHI is kept secure within the physical confines of the office or data center. While ePHI is at the greatest risk from hackers, there are still many instances of theft from employees or contractors who can physically access data on-site.
- Technical Safeguards: These security measures are in place to protect ePHI from cyberattacks. Both hardware and software must be audited and controlled to ensure they meet HIPAA network requirements. There must also be procedures established for the proper editing of digital records.
3. Draft a Breach Notification Protocol
This protocol is intended to ensure an organization is in a state of readiness to report should a breach occur. HIPAA mandates that the following groups must be notified:
- Individuals: all individuals whose PHI was compromised must receive notification within 60 days of the incident.
- Media: When a breach affects more than 500 residents of a State or jurisdiction, organizations are required to notify major media outlets in that region within 60 days of the incident, sharing the same information that was sent to the affected individuals.
- Secretary of Health and Human Services: The Secretary must be notified of any breaches, regardless of the number of individuals affected. Much like with media notification, if the breach impacts 500 or more individuals, the Secretary must be notified no later than 60 days following the breach. For breaches affecting fewer than 500 individuals, incidents may be reported annually.
4. Maintain Business Associate Agreements
All covered entities must receive satisfactory assurances that business associates are HIPAA-compliant. Business Associate Agreements should be reviewed on an annual basis. When entering into a contract with a business associate, covered entities should outline the details of when and how the business associate is permitted to use protected health information.
5. Keep Complete Records and Conduct Regular Self-audits
HIPAA compliance is an ongoing process that is subject to self-reporting and outside audits. Maintaining records is critical to an organization avoiding fines and penalties for falling out of compliance. This applies not only to your internal documents and files but also any systems or software used by employees and associates.
In assessing whether accounting software meets HIPAA standards, for example, you’ll want to determine where the data is stored (servers versus local computers and devices), who has access, and which practices are being used by business associates. Note that organizations are still responsible for PHI that might be vulnerable due to lax passwords or access controls, even if the software itself is encrypted end-to-end.
Keep Your Business in Compliance
Partnering with HIPAA-compliant accounting software like Sage Intacct, is an important step to safeguarding your patient’s vital information as well as avoiding penalties, which can be costly both to your bottom line as well as your reputation.
Are you interested in learning more about the benefits of working with a HIPAA-complaint accounting software? Contact us now!