Health Information Compliance Alert
Can You Rely On '100% HIPAA Compliant' Products?
PDF
Question: Our office has purchased encryption software that claims to be “100-percent HIPAA compliant.” When a vendor claims its product is “HIPAA compliant,” what does this really mean?
Answer: “Nearly every vendor of an encryption product that targets the healthcare market will claim that the product is HIPAA compliant,” stated healthcare attorney Casey Moriarty in an April 10 blog posting for Seattle-based Ogden Murphy Wallace Attorneys. “This representation is critical because health information that is properly encrypted is exempt from the HIPAA breach notification rules.”
Warning: But unfortunately, you cannot buy HIPAA compliance, Moriarty warned. “When a vendor states that its encryption product is ‘HIPAA compliant,’ the vendor is merely stating that the product meets the HIPAA encryption guidelines for data at rest (stored data) and data in motion (data that is transmitted over networks).”
Just because an encryption product meets HIPAA’s data encryption guidelines does not mean that you’re ultimately complying with the HIPAA Security Rule simply by using the product. In terms of encryption, the Security Rule standard states that you must “implement a mechanism to encrypt and decrypt electronic protected health information” (ePHI).
What to do: This standard is “addressable,” meaning that you must carefully analyze your organization’s operations to determine what type of encryption product is “reasonable and appropriate” for your business, Moriarty explained. You must base your analysis on a variety of factors related to your organization, such as:
Bottom line: Whether your organization is a small physician office or a large healthcare system, you must document why you believe that a selected encryption product is appropriate for your operations, Moriarty said. “While the idea of buying compliance might be attractive, HIPAA requires covered entities and business associates to look inward and conduct a thorough analysis of their operations.”
For more information on HIPAA’s data encryption guidelines, go to www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html.
Health Information Compliance Alert
- Case Study:
Get Ready For A 'Flood' Of Settlement Agreements From HIPAA Violations
Beware: Paper medical records are a hot commodity on the black market. If you have [...] - EHRs:
Need To Know: Ask 7 Questions Of Your EHR Developer
Understand the ins and outs of how your backup and recovery system works. Your electronic [...] - Toolkit:
Mitigate Your Security Risks With Different Types Of EHR Hosts
Cloud-based EHRs make you more dependent on your Internet connection. Do you know the difference [...] - Reader Questions:
Is Patient Consent Necessary For Secure Communications?
Question: Is patient consent required under HIPAA to allow secure encrypted communications with the patient? - Reader Questions:
Can You Rely On '100% HIPAA Compliant' Products?
Question: Our office has purchased encryption software that claims to be “100-percent HIPAA compliant.” When a [...] - Reader Question:
When Must You Send Out Updated NPPs?
Question: Our office is updating our Notice of Privacy Practices (NPP) to include the new patient [...] - Enforcement News:
When Medicare Will Remove Your Patients' SSNs From ID Cards
Plus: Find out how CMS plans to ease your MU reporting duties. Your patients will [...]