Software solutions continue to replace manual, repetitive work in all walks of life. The digital shift, which has been taking significant leaps over the past decade, has been pushed further by the Covid-19 pandemic. Now, even the organizations that have been hesitant in making the long-overdue digital move, have scrambled to become technologically enabled in order to survive and stay relevant. Nonprofits and other human services providers are no exception to this trend.
The pandemic brought many nonprofits, which had been resistant to the digital change, to innovative case management solutions. But, on the flip side, being forced to make the digital shift on an urgent basis also caused some organizations to make the wrong decisions in terms of choosing suitable case management solutions. With a plethora of case management software solutions for nonprofits available in the market, picking one that would fit the organization best was a tough call.
If you’re a nonprofit and looking for a case management solution that would fit your organization’s needs, you’d be amazed at the number of choices you have for this relatively small segment. With every solution maker claiming to be the right fit for your nonprofit, it would not be an easy decision. Plus, with most of the case management software solutions offering a near-identical specs sheet, the choice tends to becomes more confusing.
So, when you have to make this tough call being confused between similar products, consider one final thing: compliance. This will make your decision much easier as industry compliance with any product or service is always a key factor for its quality and reliability. As case management at nonprofits has mostly to do with people’s physical and mental health and wellbeing, the industry-standard here is HIPAA compliance, which we’ll delve into further in this article.
Before we talk about what compliance with HIPAA is, let’s first discover what HIPAA itself is. HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. According to the Centers for Disease Control and Prevention (CDC), HIPAA is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
In other words, the Health Insurance Portability and Accountability Act was created to modernize and improve the flow of healthcare information, protect personal patient information maintained by the healthcare and healthcare insurance industries from fraud and theft, and take care of healthcare insurance coverage limitations. The Act comprises five titles comprehensively addressing the purpose it was created for.
HIPAA compliance, therefore, means that any healthcare product or service is compliant with the standards stipulated under the Act. Similarly, for the nonprofit software solutions sector, this compliance means that the solutions, including the case management software products, follow the standards and requirements set under HIPAA. There are many HIPAA-compliant case management solutions available today to choose from.
Any demographic information that a healthcare entity can use to identify a patient or client can is Protected Health Information (PHI). A patient or client’s name, address, phone number, Social Security number, medical records, financial information, and photographs can be considered PHI. Electronic transmission, storage, and access also fall under HIPAA regulatory standards and are called electronically protected health information, or ePHI.
HIPAA’s Security Rule regulates ePHI. It’s pertinent to note that the HIPAA Security Rule was added to the HIPAA regulation as an addendum at later stages. This was to address and accommodate the constant advancements in medical technology.
According to HIPAA regulation, there are two types of entities that require HIPAA compliance: covered entities and business associates. According to HIPAA regulation, a covered entity is the one that gathers, creates, or transfers PHI electronically. Healthcare providers, health insurance companies, and healthcare clearinghouses are some of the healthcare organizations that can be called covered entities.
Business associates, on the other hand, are organizations that are contracted to perform on behalf of a covered entity and thus can have access to protected health information. Business associates cover a wide array of service providers including but not limited to billing companies, practice management firms, third-party consultants, EHR platforms, IT providers, faxing companies, physical and cloud storage providers, email hosting services, accountants, attorneys, and more.
All covered entities and business associates are required to meet a set of national standards set forth by the HIPAA regulation. Below are some of the ways these entities can ensure their HIPAA compliance:
HIPAA regulation requires covered entities and business associates to regularly assess Administrative, Technical, and Physical compliance gaps for HIPAA Privacy and Security standards. HIPAA regulation makes it clear to organizations that they need to do more than just Security Risk Assessment which is just one of the many essential audits HIPAA-beholden entities are required to perform.
Remediation Plans are designed for covered entities and business associates to reverse any compliance violations after they have identified compliance gaps through self-audits. These plans are comprehensively documented and include calendar dates for remedying the HIPAA compliance gaps and violations.
Policies, procedures, and employee training
It’s mandatory for covered entities and business associates to develop relevant policies and procedures to meet HIPAA regulatory standards, which the HIPAA rules clearly outline. These policies and procedures are required to be updated on a regular basis. Besides, both entities are also required to train their workforce on these policies and procedures annually, with the employees signing a written attestation that they have understood the policies and procedures in their entirety.
Every single effort made by a HIPAA-beholden organization to comply with HIPAA regulations must be fully documented. This documentation will be used for HIPAA investigation for entities to pass stringent HIPAA audits.
Both entities – covered entities and business associates – tend to share critical patient data (PHI) with a number of external vendors. So, they must enter into Business Associate Agreements with these vendors to protect data integrity and mitigate liability.
In the event of data loss or breach, a covered entity or business associate must have an SOP to document it and notify the patients accordingly. In, accordance with the HIPAA Breach Notification Rule patients must be communicated that their data has been compromised.
HIPAA compliance violations come in a variety of types ranging from minor data breaches to meaningful data breaches and more. Some of the most common causes of HIPAA violations include a stolen laptop, phone, or USB device, a malware incident or ransomware attack, hacking, business associate breach, office break-in, social media posts, and more.
In a data breach event, an encrypted company laptop is used to access and steal medical records (in some instances, a company laptop being taken offsite can be a HIPAA violation). In a minor breach, data theft of fewer than 500 individuals per jurisdiction occurs. If the breach affects more than 500 individuals in a single jurisdiction, it’s called a meaningful breach.
Every single meaningful breach is reported to the HHS (U.S. Department of Health & Human Services) and is posted on the Breach Notification Portal. Also knows as the HHS Wall of Shame, the breach notification portal is a permanent archive of all meaningful breaches that, of course, are counted as HIPAA violations.
The portal is a searchable database and nearly impossible to get off from one an organization’s name hits it. Besides being heavily fined for these violations from HIPAA auditors (ranging between $100 and $50,000 per incident, depending on the level of negligence), serious HIPAA violations can damage healthcare organizations’ reputations beyond repair.
For organizations that deal with sensitive healthcare information about their clients or patients, it’s imperative to have the right security measures in place to ensure HIPAA compliance. Any entity that provides healthcare treatments has the access to patient’s personal information, and/or operates in the healthcare sector is required to be HIPAA compliant. By definition, this also covers nonprofits and human services bodies that operate in the healthcare sector.
Plus, with the HHS (U.S. Department of Health & Human Services) pointing out that organizations dealing with protected health information (PHI) should move to computerized operations, HIPAA compliance becomes all the more important. Some types of computerized operations for nonprofit or other healthcare providers include electronic health records, computerized physician order entry (CPOE), and radiology, pharmacy, and laboratory systems.
So, it’s important that the case management solution that your organization uses is also HIPAA compliant so you can rest assured that the investment you’re making is right and for the longer run. Although industry compliance is mandatory for many other sectors, it’s more critically and repeatedly scrutinized in the healthcare sector as the lives and wellbeing of the people are at stake. If you’re considering moving to a digital case management solution, HIPAA compliance must be checked.