The compliance burden for healthcare IT companies has grown markedly over the past several decades. The cost of noncompliance is substantial. In the US alone, companies face significant costs and fees for failing to follow healthcare software compliance rules.
This blog will cover the standards, regulations, and compliance rules healthcare software companies must watch out for, and their rules related to incident management. We’ll cover the following pieces of legislation pertinent to healthcare software compliance:
What Is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a piece of legislation that exists to protect healthcare information and set standards for storing, sharing, managing, and recording protected health information (PHI). This is one of the main pillars of healthcare software compliance rules.
The category of PHI covers the following: name, address, dates, telephone number, fax number, email address, social security number, medical record number, health plan beneficiary number, account number, certificate/license number, vehicle identifiers, device identifiers, web URLs, IP address, biometric identifiers, full-face photos, and any unique identifying numbers.
From its introduction, HIPAA required organizations to follow healthcare software compliance rules around security, privacy, breach notification, and enforcement, detailed below:
The HIPAA Security Rule outlines measures to protect PHI including:
- Technical safeguards, requiring healthcare organizations to encrypt electronic PHI once it travels beyond internal servers and implement the following requirements:
- Access control
- ePHI authentication
- Encryption and decryption
- Activity logs and audit controls
- Automatic log-offs
- Physical safeguards, which secure physical access to PHI and lay out measures for securing mobile devices and workstations, comprising the following requirements:
- Facility access controls
- Guidelines for locating and using workstations
- Procedures for the usage of mobile devices
- Inventory and hardware policies
- Administrative safeguards, that lay out high-level measures for PHI protection with the following requirements:
- Risk assessment
- Risk management policy
- Training employees on securely handling health data
- Developing a contingency plan
- Testing a contingency plan
- Restricting third-party access to data
- Reporting security incidents
Other Rules in HIPAA Healthcare Software Compliance
- The Privacy Rule outlines measures on how PHI can be used and disclosed. This requires healthcare organizations to:
- Train employees to ensure they know what information may and may not be shared outside of an organization’s security mechanism
- Implement appropriate measures to maintain PHI integrity
- Ensure written permission is received from patients before their health information is used for marketing, fundraising, or research
- Train employees to ensure they know what information may and may not be shared outside of an organization’s security mechanism
- The Breach Notification Rule requires that if the PHI is compromised, healthcare organizations must promptly notify the affected patients and the Department of Health and Human Services of the breaches and issue a notice to the media if a breach affects more than five hundred patients
- The Omnibus Rule incorporates important stakeholders such as third-party services and business associates
What Is HITECH?
The Health Information Technology for Economic and Clinical Health Act (HITECH) was signed in 2009 as an upgrade of healthcare software compliance rules. It aimed to achieve stricter enforcement of HIPAA and speed up the adoption and meaningful use of health information technology.
- HITECH requires providers to notify patients of unauthorized access to their data and run security audits to investigate if they comply with HIPAA’s Privacy and Security rules
- It requires the sharing of PHI via secure methods
What Is GDPR?
The General Data Protection Regulation (GDPR) – a more narrow area of healthcare software compliance – controls all issued data in the EU, with health information falling within its scope. GDPR applies to organizations based in the EU, and those outside it if they target EU-based individuals or store any data from EU citizens.
GDPR influenced the creation of the California Consumer Privacy Act (CCPA) and there’s still much debate on if there will be a U.S. standard as a follow-up. Many states are in debate about forming their own, ultimately creating a further burden on healthcare software compliance requirements.
Some critical steps of GDPR compliance include:
- Appointing a Data Protection Officer to oversee archival and real-time data flows
- Evaluating data-related risks by conducting a data protection impact assessment
- Designing and implementing a data security strategy
- Properly notifying impacted parties of data breaches within 72 hours
What Is HL7?
HL7 is an industry-standard as a part of healthcare software compliance requirements that sets out best practices for exchanging medical data between disparate healthcare systems. It has had two subsequent versions, v2 and v3:
- HL7 v2 suits distributed environments and centralized patient care systems where patient data resides in departmental subsystems
- HL7 v3 takes a new approach to exchange clinical information that relies on messages written in XML syntax
What Is FHIR?
The Fast Healthcare Interoperability Resources (FHIR) standard is an HL7-compliant standard that sets out acceptable data formats and APIs for electronic health records. This also enhances the discipline for healthcare software compliance. In particular:
- Provide a set of HTTP-based RESTful APIs to allow healthcare providers to share data in JSON and XML formats
- FHIR combines the best features of previous standards into a common specification while being flexible enough to meet the needs of a wide variety of use cases within the healthcare ecosystem
What Are Some Other Standards for Healthcare Software Compliance?
- The ICD-10 is a disease classification coding system
- XDS (cross-enterprise document sharing) is an interoperability profile that describes how healthcare enterprises should share medical information with peers
- XDS-I is an extension to the XDS protocol created specifically for sharing medical images
- EVV (electronic visit verification) is a requirement to verify home medical visits with healthcare compliance solutions
How Much Does a Healthcare Software Compliance Program Cost?
HHS has provided an estimate of how much HIPAA in specific and healthcare software compliance program in general may cost:
$80 for an updated Notice of Privacy Practices
- $763 for breach notification requirement updates
- $84 for business associate agreement updates
- $113 for security rule compliance
- Grand total per organization: $1,040
However, in practice, HIPAA compliance might actually cost considerably more:
- Total cost: $4,000 – $12,000 for a small covered entity
- Total cost: $50,000 or more for a medium/large covered entity
For GDPR, 74% of small- and mid-sized organizations spent more than $100,000. Notably, 20% spent more than $1 million. Only 6% of all organizations spent less than $50,000.
Are you a software developer, technologist, or healthcare software compliance manager who needs help in ensuring your regulatory and compliance software initiatives are affordable and time-effective?
If so, the team at KMS prides itself on being partners of choice for healthcare software compliance and development teams looking to do just that. Speak with our dedicated team of experienced developers today.