HIPAA Compliance and Security

HIPAA compliance and security are primary concerns when providing health services. Unfortunately, there is no government seal of approval to verify HIPAA security of a vendor, and a software alone cannot make a health provider HIPAA compliant by using their software or hardware. Technically speaking, no vendor can be “HIPAA-compliant” because software vendors do not meet the criteria of a Covered Entity (for whom HIPAA applies).

Most vendors use “HIPAA compliance” as a marketing shorthand to indicate that they have met at least some of the HIPAA-HITECH criteria of Administrative, Technical and Physical security controls. There’s a wide spectrum of vendor understanding of HIPAA compliance. In some cases, a vendor’s “HIPAA compliance” may only include a Business Associate Agreement (BAA) and encryption of data in transit. These are not sufficient by themselves for HIPAA compliance. In all cases, and in addition to just software, providers need security training and certain security policies and procedures to be considered HIPAA compliant. Many vendors now use the term HIPAA-secure to differentiate their HIPAA responsibilities from those of the provider. Additionally, providers must have vendors sign a Business Associate Agreement (BAA) since the vendor has access to electronic Protected Health Information (ePHI), even if the vendor does not access the data. While a proper BAA will make the vendor legally responsible for protecting the data in specific ways, it is still the responsibility of the provider to perform due diligence to ensure that the vendor is indeed adhering to the HIPAA security standards (Administrative, Technical and Physical controls and Privacy Policies) as the healthcare provider will be held responsible alongside the vendor. See HIPAA Compliance for Telemental and Telebehavioral Health. You can search telebehavioral health software by HIPAA criteria here.