There are a lot of factors to consider when a health plan is purchasing a software solution, especially if the software will have access to protected health information (PHI). The protection of a health plan member’s PHI is vital, and the health plan will want to ensure that the software solution is able to protect that data. The health plan will want to feel comfortable that the software solution is prepared to protect the PHI and that it employs staff who are educated on HIPAA privacy and security requirements.
1. Do healthcare software solutions have to comply with HIPAA?
When someone thinks of healthcare privacy, the first thing that comes to mind is HIPAA. The Health Insurance Portability and Accountability Act of 1996, generally referred to as HIPAA, contains the Privacy Rule. The HIPAA Privacy Rule was enacted, in part, to protect individuals’ protected health information. The HIPAA Privacy Rule must be followed by Covered Entities: health plans, health care providers, and healthcare clearinghouses. Unless a software solution is a health care clearinghouse, it will not fit the definition of Covered Entity. However, the HIPAA Privacy Rule also applies to Business Associates.
Business Associates perform work on behalf of Covered Entities. HIPAA defines Business Associates, in part, as a company that “…creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities …, billing, benefit management, practice management, and repricing.” A Business Associate is also a company that “Provides … legal, actuarial, accounting, consulting, data aggregation…, management, administrative, accreditation, or financial services…where the provision of the service involves the disclosure of protected health information…” to the Business Associate. 45 CFR §160.103.
If you are a Covered Entity and contract with a software solution company to perform work on your behalf that meets the above definitions, the software solution would be considered a Business Associate under HIPAA and would need to comply with HIPAA.
2. What should be in a Business Associate Agreement?
You may have heard Business Associate Agreements come up during discussions around contracts involving PHI. When a Covered Entity contracts with a Business Associate, part of the contract, or an addendum to the contract, must be a Business Associate Agreement. Business Associate Agreements are often referred to as BAAs for short. The BAA is an agreement that protects PHI by placing rules around the use and disclosure of the PHI the Business Associate is receiving from the Covered Entity. Essentially, the BAA details the ways in which the Business Associate can use and/or disclose the PHI it is receiving from the Covered Entity, the responsibilities of the Covered Entity, and the responsibilities of the Business Associate. It is essential that all of the required items are in the BAA. The required terms are listed in 45 CFR §164.504(e).
As a health plan contracting with a software solution, you will want to ensure that all required elements are in the BAA. One of the key points to look for is that the software solution must report to the health plan all uses or disclosures of PHI not allowed by the contract, including breaches of unsecured PHI. The majority of BAAs will include a number of days that the Business Associate has to report such incidents to the Covered Entity. This is important to have in the contract because the Covered Entity likely has upstream reporting obligations around these incidents.
Another key item to look for in the BAA is language requiring the Business Associate to have a BAA with any subcontractors that create, receive, maintain or transmit PHI on their behalf. The BAA with the subcontractor must have the same restrictions and conditions as the BAA between the Covered Entity and the Business Associate.
Effectively, you will want to review the BAA against the HIPAA regulations and ensure that all required terms are present.
3. Do the healthcare software solution employees have to take specific trainings?
When a software solution contracts with a health plan as a Business Associate, there generally are training and background check requirements for employees. The main contract between the health plan and the software solution will list the requirements for the training and background checks.
Generally, a software solution that is acting as a Business Associate will ensure that its staff is trained annually on several topics. Most importantly, the staff should be trained on HIPAA Privacy and Security upon hire and annually after that. It is important for the staff to be trained on these topics because they will be handling PHI. Software solution employees should also be trained upon hire and annually thereafter on General Compliance and on Fraud, Waste, and Abuse topics.
It is important for the training completion to be tracked. There are audits and accreditations that will require the training completion logs.
While these are the minimum topics for trainings, it is important to note that Business Associates often train their staff on a variety of other topics.