.st0{fill:#FFFFFF;}

Podcast

HIPAA Compliant Apps – Ep 303 

 May 7, 2021

By  Donna Grindle

Share0
Tweet0
Share0

We’ve all seen the websites of companies that claim to have a “HIPAA compliant” app, product or service. But does that really mean anything? The short answer is NO! There is no such thing. Today, we answer a listener question about products and services with these types of claims. And, as you can imagine, we have a lot to say about this topic. So let’s get started.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

HIPAA Compliant Apps – Ep 303

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

The HIPAA Boot Camp

Virtual Edition Aug 17-19, 2021

Great idea! Share Help Me With HIPAA with one person this week!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

HIPAA Say What!?!

[04:16] Listener Alyson wirtes:

Help Me With HIPAA: I have something to say..

Love your show! Thank you for the useful info. You guys make an incredibly boring and tedious topic easier to learn and more enjoyable!

Question….is Microsoft 365 forms truly HIPAA compliant? Would love if you’d do a show on these types of apps and others who claim to be HIPAA compliant (i.e. jotforms, zoom etc) as they’re more in demand since COVID-19. They all say because they sign a BAA with you they’re compliant…yet I recall you saying that’s not necessarily true. So what’s the scoop?

Here’s a link specific to Microsoft 365 that generated my question: Security and Privacy in Microsoft Forms

Thank you!

HIPAA Compliant Apps

So, let’s just start by pointing out that there is NO such thing as a HIPAA compliant app or a HIPAA compliant company or HIPAA compliant service. A company or their app, product or service is not, in and of itself, HIPAA compliant. What you really want to determine is:

  1. Does the company that developed the app, created the product, or provides the service doing its job to follow and meet HIPAA requirements?
  2. Can the app, product or service be used in a HIPAA compliant manner? Does it meet HIPAA compliance requirements?

Just trusting a vendor that says “we are HIPAA compliant” isn’t going to cut it. Don’t think that they must be compliant if they will sign a BAA. You have to look at the compliance program of the company itself, security features of the app or service, where data is stored, how the data is protected, etc. It is very important to vet these vendors and their apps.

[10:06] Also, keep in mind that all of these apps tend to have versions. Some that might fall under the category of meeting compliance standards and others not. If the app is free, it is likely not meeting HIPAA compliance requirements and they probably won’t sign a BAA with you.

Now, here’s the next part. Once you have purchased the app or service plan that the vendor says meets HIPAA compliance requirements and you have the signed BAA, you still need to configure the app and use it in a HIPAA compliant manner. Usually there are several steps in this process and vendors provide you an implementation guide for doing so.

Vetting Vendors and Apps

[14:55] Big vendors such as Microsoft and Google make their BAA available for you to sign and download, but it is your responsibility to go get it. They won’t negotiate it with you, but they make it available for you.

You’ve heard us time and time again say “vet your vendors.” But, how do you vet a company like Microsoft or Google? Large vendors will not usually fill out a due diligence survey for you. But, almost every single large vendor will have a white paper or resource guide explaining the security they put in place and the methods that they use and how they follow HIPAA requirements. Pull that and keep it on file. But also read that documentation because they typically include steps you need to follow to configure or use the app in a HIPAA compliant manner.

It is important to understand that if you purchase an app or product or service that comes with a suite of applications, like Microsoft 365 or Google’s G-Suite, not all of the apps are necessarily covered under the BAA or included in the suite of apps that can be used in a HIPAA compliant manner. So, don’t forget to check that. And don’t forget that any third party app integrations that you use with your Microsoft or Google apps, such as JotFroms, have to be vetted separately. Just because you integrate them with a product that you have a BAA for, it doesn’t mean they adhere to HIPAA compliance standards too.

Remote Working Apps

[24:03] With more and more people working from home, use of file sharing apps and video/web conferencing apps have been on the rise. But, free versions of any app will not fall under a BAA.

Box and DropBox are two commonly known file sharing apps. Both have multiple plans you can purchase and only certain ones have features that allow you to use it in a HIPAA compliant way. Same with Zoom’s video and web conferencing app. They have free, paid and healthcare versions. Only their healthcare version purports to follow HIPAA compliance requirements.

It’s important to understand the “needs” of your staff and the tools they use to accomplish their tasks. If they ask you whether they can use Dropbox for work documents, your first reaction might be NO! It’s better to find out what they are trying to accomplish. Solve the task they are trying to accomplish vs answering the question about the app itself. It’s important to teach staff why you use this instead of that and why we can’t store data in certain apps.

Mailing Stuff

[34:36] We’ve discussed before about healthcare entities that have made mistakes when it comes to sending breach notification letters to patients. Here’s one example: A practice had a breach and needed to mail letters to patients. They contacted a company that can do the mass mailing for them. They send the company the letter they want mailed and their list of patients with addresses who were involved in the breach. But guess what? They don’t have a BAA with the mailing company nor did they vet them. Now, they have a breach in the middle of their breach. And they have to send another letter saying they sent the first letter the wrong way.

Don’t use MailChimp or Active Campaign or some other electronic mailing service to send out letters to patients. Some of these vendors might have a solution that addresses HIPAA requirements, but again you need to vet them. Now, you can send breach notifications via email if you have specific authorization from the patient to do so. A broad authorization to correspond via email with a patient is not good enough. It needs to be a specific authorization allowing for you sending breach notifications to them via email.

Telemed Apps

[38:59] In March 2020, OCR released a notice of enforcement discretion to allow practices to use public facing telemedicine apps that do not normally follow HIPAA compliance standards to communicate with patients during the COVID-19 nationwide public health emergency. Within the announcement, it specifically stated that providers could use Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without the risk that OCR would impose a penalty for noncompliance with the HIPAA Rules. They also specifically stated that Facebook Live, Twitch, TikTok, and similar video communication applications are public facing as well, but should not be used in the provision of telehealth by covered health care providers.

If you were listening to our podcast episodes back then, you will remember that we said we recommend using platforms that do not meet HIPAA compliance requirements as the exception to the rule. Mainly because we didn’t know how long this thing would last. Although this enforcement discretion is still in effect, it will eventually end. The longer you use a solution that does not purport to be following HIPAA requirements the harder it will be to move off the platform and to something else… for your staff and for your patients.

Everyone should start planning now what you are going to do and how you are going to handle things when this enforcement discretion ends. Legally, the enforcement discretion is tied to the federal declaration that COVID-19 is a public health emergency. Once the “public health emergency” declaration has ended, you will likely see this enforcement discretion end soon after. So, create your plans to notify your patients, change your workflow to deal with the switch and make sure you have your documentation in place.

Go to top

Stay away from those vendors that claim they are “HIPAA compliant” or have a “HIPAA compliant” app, product or service. Or at least ask lots of questions, thoroughly vet them, before doing business with them. And remember that it’s all about understanding your use of an app and whether it meets HIPAA requirements. So, pay attention. Ask questions. Vet the vendor and the app. And make sure you get a BAA.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: