10 Things You Should Demand of Your HIPAA Software

HIPAA security and privacy are cornerstones of basic healthcare security practice.


Because your organization’s stored protected health information (ePHI) is the single most important vulnerability your company or medical practice has.

ePHI is very valuable to hackers, is sometimes easily available to be stolen, and you face significant fines and other large liabilities if PHI under your care is taken or unnecessarily exposed.

The Federal Government, through the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), requires covered entities and business associates to perform an annual security risk assessment and tri-annual privacy breach risk assessment to certify your vigilance and commitment to protecting ePHI through best practices.

The process of performing a security or privacy risk assessment is manual and time-consuming; you need to collect information about your systems, practices, policies, people and assess your current risk level, any deficiencies that need to be addressed, and show continued progress in improving your PHI risk over time.

A quality assessment will also prioritize which risks you should invest in fixing based on their potential damage to your organization. This will help sequence the time and resources you need to dedicate to maintain a defensible security posture.

Many organizations turn to HIPAA software products to help reduce the time and energy it takes to properly review their security risks and provide the HIPAA attestation needed for HHS/OCR. These products can be time savers and process facilitators, if they possess the right features.

Read on for our view of what capabilities you should look for in a HIPAA software product.

1. Self-Serve and Guided Execution

To manage the overall cost of ownership, a product should be easy enough for you to use on your own and be designed so that remote security experts can facilitate and validate an assessment for you.

This flexibility allows you to switch back and forth between assisted and self-service assessments so that you can manage your cost of ownership over time while still getting the help you need to stay compliant and manage risk.


2. Reference Policies and Procedures

Part of HIPAA compliance is having policies and procedures that, when followed, make your organization safer and less prone to PHI being exposed. These policies can range from how you onboard and offboard employees and their credentials to how often you review implemented safeguards.

Policies can be challenging (and not very fun!) to write. As a result, many HIPAA software products have sample policies and procedures that provide you with a written document that is cross-referenced to the regulation supported by the policy and the written language that requires tailoring for your specific circumstances.

These documents can save over 80% of the effort needed to complete this part of the HIPAA risk assessment.

3. Automated Collaboration Support

In most healthcare organizations, everyone is very busy and has a full plate of projects and tasks to accomplish. However, you will need the cooperation of your team members to complete a HIPAA assessment.

It is important that a quality HIPAA software product provides clear task delegation support and automated task status/completion and reminders/follow-ups to keep your team’s attention on their needed contributions to the process. Otherwise, you’ll have to manually track statuses and send emails to the team yourself…a large time waster!

4. Remediation Status and Tracking

Healthcare security and compliance is a journey, not a destination. Part of your responsibility under HIPAA is to show your current security posture, which includes gaps, in addition to your progress in addressing the gaps (also known as remediation) over time.

It is important that a HIPAA product automatically track your gaps, prioritize them, and show your remediation status over time. If you have a security incident in your organization, you will need to show OCR how you made attempts to close your gaps over time, or your fines could be increased considerably.


5. Multi-Location Support and Parent-Child Dynamic Synchronization

The nature of healthcare organizations and federal/state regulations is that they are in a continual state of change.

Hospitals buy physician practices, imaging centers, and other pre- and post-acute facilities to provide care throughout a patient’s entire care journey. Larger hospital systems branch out and acquire smaller regional hospitals to build a larger geographic presence. Even smaller physician practices often have multiple locations in more than one state. These are just a few examples of the ever-changing landscape.

The consequence of this is that almost every provider organization larger than one medical office is made up of many separate entities with numerous tax-IDs.

Why is this important?

The Federal Government requires each separate entity to provide its own security risk assessment. Doing this requires two important capabilities:

  1. parent/child sharing
  2. parent/child dynamic synchronization

Otherwise, an organization will be copying and pasting redundant policies, gaps, and remediation statuses manually across numerous, sometimes hundreds, locations and manually updating all of them when remediation status changes.

6. Lower Cost of Ownership

The right platform should be easy to use and allow third-party consultants to collaborate and assist you in completing tasks.

With such, you can be flexible year-to-year on whether you prefer to perform risk management internally or collaborate with consultants.

With this capability, provided the product delivers the right level of automation, your cost of ownership can be much lower over time as you can manage consulting expenses by foregoing third-party help in some years while using it in others, all the while maintaining continuity in the progress of your security program.

Many products on the market today are either very simple but not comprehensive enough, or very complex but not usable by members of your team who are not specialists.

7. Privacy and Security Risk Assessment in One Product Family

A HIPAA product family should support both your Security Risk Assessment (SRA) and Privacy Breach Risk Assessment (PBRA) needs. It does not make sense for your team to learn two different workflows and processes as this increases friction, cost, and user resistance.

8. Proven Security and Compliance Track Record

Do you have confidence that the product and process you follow will help you successfully pass an OCR audit and run a more secure healthcare organization? There are simple ways to examine this critical question:

  • How long has the company been in business serving this need?
  • Does the company providing the software have a track record of successful security and compliance performance? What is their audit success rate?
  • How long and how many clients have they served?

If your vendor does not want to discuss these issues with you or be transparent, look elsewhere!

9. Continuous Federal and State Regulation Updates

A product that does not help you comply with current regulations has little value. On the other hand, state and federal regulations change continuously. Is your product up to date? How often is it updated? This is also very important for multi-state medical organizations so that you have the proper guidance to accurately support your locations in each jurisdiction.

10. Meets OCR Guidance for Complying with HIPAA (Per U.S. Government Code of Federal Regulations)

Does your software partner represent to you that their product supports these specific HHS regulations?

  • Security Risk Assessment regulations per CFR 164.308(a) (1)
  • Privacy Breach Risk Assessment regulations per CFR 164.524

If not, find another partner! Your software must support these regulations to guarantee that you’re meeting all legal requirements.

HIPAA Software Features: The Conclusion

The most important quality a HIPAA software product can provide is a productive, straightforward easy way to secure your ePHI and comply with the law.

Used properly, a product that delivers the capabilities listed above helps foster a culture of compliance and security rather than denial that these laws and obligations exist. Failure to take this issue seriously, no matter how innocent the impulse, can impose very painful costs on even the smallest of medical practices.

Looking for HIPAA software that is equipped with these 10 must-have features to help you remain compliant year-round? Get in touch.