As Senior Sign's founder and duly appointed HIPAA Compliance Officer, I work with our employees and customers to answer the all-important question, "Are you HIPAA compliant?" Though this is a bit of a loaded question, I feel it is one worth answering at length.
For starters what is HIPAA compliance and who regulates it?
In the current era where electronic health records (EHRs) have not only become the norm, but are required by law in most instances, software companies like Senior Sign have to be accountable for the treatment and protection of resident data (patient data for SNFs). This is especially important as electronic protected health information (ePHI) is more readily available than ever before. Either by luck or by using a crystal ball, HIPAA (Health Insurance Portability and Accountability Act) was passed in 1996 with the aim to modernize healthcare by addressing issues related to health insurance coverage and patient data privacy. One of its primary goals was to establish standards for the security and privacy of electronic health information. In my opinion, the law uses the term "standards" rather loosely.
It's very important to note that there is no formal certification or validation to show that a software system or organization is HIPAA compliant. Instead, achieving and maintaining HIPAA compliance is the ongoing responsibility of covered entities and their business associates (more on this later). Compliance is demonstrated through a combination of self-assessment, documentation, and adherence to the requirements outlined in the HIPAA regulations. If you're weighing any software solution for your senior living company, I would strongly advise you to understand the basics of HIPAA compliance (outlined below) and then ask how the potential solution meets or exceeds these requirements.
HIPAA compliance is regulated and enforced by the U.S. Department of Health and Human Services (HHS), specifically through the Office for Civil Rights (OCR). The OCR is responsible for overseeing and enforcing HIPAA and its associated regulations, including the Privacy Rule and the Security Rule. Link to Health and Human Resources HIPAA website: https://www.hhs.gov/hipaa/index.html
THE SHORT ANSWER
To save you some time skimming, here is a basic outline of what is covered over the following paragraphs. I've lumped information into 3 overarching categories: Technical Safeguards, Physical Safeguards, and Administrative Safeguards.
.png)
Technical Safeguards
Physical Safeguards
Administrative Safeguards
THE LONG ANSWER
Technical Safeguards
Encryption
Encryption is simply a mathematical means of turning data into codes. These codes are impossible to crack without the proper keys and makes whatever information is being sent or stored infinitely more difficult to steal. For our purposes, you can think of it like a digital safe for protected health information (PHI). HIPAA says that when we save or store that information on a computer server (at REST), that information needs to remain locked. HIPAA also states that PHI needs to remain encrypted while being sent or received over public or private computer networks (in transit). This is the equivalent of transferring information using a digital armored car. If you want to know that data and information is being protected while in transit just look for the "s" in the web address or https://.
Storage
Storing and protecting data is an important part of meeting HIPAA requirements. Hosting providers like AWS (Amazon Web Services) and Google Cloud offer HIPAA compliant hosting options that they manage for software companies like Senior Sign. This means that we execute a Business Associate Agreement (BAA) with the provider, in our case it's Google Cloud, and they take responsibility for certain HIPAA compliance aspects of our server setup. Things like hard drive encryption, physical facility locks, access controls for employees, and audit logs are handled by Google employees trained to handle HIPAA sensitive information. More on this in the next section.
I think it's worth mentioning here as well that there is a strongly held misconception that HIPAA requires healthcare providers to retain patient medical records and related documents for a minimum of seven years. HIPAA itself does not specify a specific retention period for medical records. Instead, the law defers to state and federal laws and regulations, as well as individual organization policies, to determine the appropriate retention periods for healthcare records. With that being the case, at Senior Sign we have implemented an internal policy stating that all signed documents will be internally stored for a minimum of seven years.
Add-On Service Providers
At Senior Sign, we exercise Business Associate Agreements (more on these below) with every single service provider with any form of access to our tool. For us that means that our integrated chat tool, our transactional email provider, front and back-end hosting companies, and even our help center provider, all sign BAAs in the unlikely event they see or gain access to any ePHI. We'd prefer to remain on the safe side of the law rather than risk it and find we have violated some area of HIPAA. Some of these tools charge extra for HIPAA compliance which means our basic overhead costs are higher than some larger electronic signature providers on the market.
Accounts and Logins
Unlike Docusign, Adobe Sign and other broad-market eSign solutions, we require each and every Senior Sign user to have a password protected account. As managers, residents, and family members collect and sign move-in paperwork, HIPAA requires we log their movements within our software. In order to record this information, we have to know the Who, What, When, and Where of it all. Hence the primary need for user authentication and role-based access. Additionally, maintaining user accounts ensures that ePHI is not improperly altered or destroyed.
Audit Trails
As mentioned above, Senior Sign is required by HIPAA to maintain detailed audit logs of all access and activity related to ePHI. These logs track who accessed the data, when they accessed it, and what changes were made. Each and every electronically signed agreement within Senior Sign includes an Audit Trail Appendix that outlines this information.
Device Controls
Accessing ePHI from a work computer or phone needs additional protocols and protections. At Senior Sign, we implement strict workstation standards for all company-owned devices. These standards include screen locking, firewall protection, and encrypted hard drives. Secure passwords and individual accounts are used for each employee whenever accessing sensitive information.
Physical Safeguards
Employee Training
Employee training is an important part of maintaining HIPAA compliance. At Senior Sign, every employee completes a comprehensive online course on HIPAA compliance, security policies, and best practices for handling ePHI. This certification is renewed every two years regardless of whether the employee has access to ePHI or not. We strive to limit user access from a corporate standpoint whenever possible.
Business Associate Agreements
Because our software interacts with healthcare providers, health plans, or other covered entities, we need to enter into BAAs with them. A BAA is a legally required agreement that outlines the responsibilities of each party regarding HIPAA compliance. In addition to executing BAAs with all of our customers, we enter into business associate agreements with any and all service providers that connect to our software in any form or fashion.
Documentation
Covered entities and business associates are required to develop and maintain comprehensive documentation of their HIPAA compliance efforts. At Senior Sign this documentation includes policies, procedures, risk assessments, training records, and other relevant documents.
Administrative Safeguards
Contingency Planning
Anytime a company is handling and storing ePHI, they should ensure they maintain adequate plans for data backup and disaster recovery. In the unlikely and unwanted event of a data breach, Senior Sign has outlined protocols surrounding rehearsal, prevention, notification, recovery, logging, and response. This Action Response Plan is reviewed at regular intervals and accompanies an assigned response team consisting of employees, legal advisors, and insurance advisors.
Data Breaches
The Breach Notification Rule requires covered entities to notify affected individuals and regulatory authorities if a breach of unsecured ePHI occurs. Determining whether an incident constitutes a breach involves a risk assessment based on factors like the nature and extent of the information involved. Timely reporting and mitigation are essential in breach response. In addition to the contingency plans outlined above, Senior Sign carries a Digital Breach insurance policy in addition to our regular business insurances. In the unlikely event of a breach, this policy provides added protections for our customers and their residents. As we continue to grow, this policy is reviewed from time to time to ensure it is adequate in size and scope.
Ongoing Evaluations
Under the Security of HIPAA, organizations would be wise to assign a Security Official or HIPAA Compliance Officer. At Senior Sign, that lucky individual is me (Neil Krauss). In addition to securing devices, training staff, executing BAAs, and reviewing contingency plans, I have the good fortune of regularly evaluating our software and company regarding HIPAA compliance. This involves reviewing policies and practices to identify areas of non-compliance and taking corrective action to address any deficiencies.
Notice of Privacy Practices
Under HIPAAs Security Rule, covered entities are required to provide individuals with a notice that explains their privacy rights and how their health information may be used or disclosed. This notice must be provided at the first encounter with the healthcare provider or health plan and must be made available upon request. If you're interested, you can find Senior Sign's Notice of Privacy Practices and other legal policies here: https://www.seniorsign.com/legal
Conclusion
While there is no official HIPAA compliance certificate issued by a regulatory authority, organizations are ultimately responsible for maintaining their HIPAA compliance. At Senior Sign we are committed to regularly reviewing and updating our policies, training, practices and procedures to address changing regulations and security threats.
Want market insights and other goodies?
