Purchasing a “HIPAA compliant” technology product does not guarantee HIPAA compliance.

There. I said it.

In today’s healthcare marketplace, a vendor’s representation that its product is “100% HIPAA Compliant” is an important assurance for covered entities and business associates. Due to the complex and confusing HIPAA regulations, the idea of “purchasing” compliance can be very attractive.

Unfortunately, you cannot buy HIPAA compliance. To explain, allow me to use the example of encryption technology.

HIPAA Compliant Encryption

Nearly every vendor of an encryption product that targets the healthcare market will claim that the product is HIPAA compliant. This representation is critical because health information that is properly encrypted is exempt from the HIPAA breach notification rules.

But when a vendor states that its encryption product is “HIPAA compliant,” the vendor is merely stating that the product meets the HIPAA encryption guidelines for data at rest (stored data) and data in motion (data that is transmitted over networks).

In reality, the HIPAA Security Rule requires more than merely using technology that meets the encryption guidelines.

The HIPAA Security Rule – What Product is “Reasonable and Appropriate”?

The HIPAA Security Rule standard related to encryption states that covered entities and business associate must: “Implement a mechanism to encrypt and decrypt electronic protected health information.”

Because this standard is “addressable,” an entity must carefully analyze its operations to determine what type of encryption product is reasonable and appropriate for its business.

The analysis must focus on a number of different factors related to the entity, including:

  • The entity’s size, complexity and capabilities;
  • The entity’s technical infrastructure, hardware and software security capabilities;
  • Costs of encryption measures; and
  • Probability and criticality of potential risks to electronic PHI.

For example, if a small entity simply wants to send a limited number secured e-mails containing patient information, a top-of-the-line encryption product for all IT systems may not be necessary. Rather, a basic e-mail encryption product may suffice.

However, if a large health system regularly transmits a large amount of health information over public networks, a basic e-mail encryption product is probably not appropriate.

The vendor of the e-mail product might claim that its product is “HIPAA compliant,” but under the Security Rule, a deluxe encryption solution for the health system’s various IT systems probably makes more sense.

In all cases, it is important for the entity to document why it believes that a selected encryption product is appropriate for its operations.

Conclusion

The takeaway is that HIPAA compliance takes real work. While the idea of buying compliance might be attractive, HIPAA requires covered entities and business associate to look inward and conduct a thorough analysis of their operations.

Do not be misled by thinking that HIPAA compliance can be achieved by entering credit card information and pushing a button.

If you would like more information about HIPAA compliance, please contact Casey Moriarty.