Becoming HIPAA Compliant

Recently, Non-Profit Software Corporation (NPSC) moved all of our NPSC-hosted houses to a different server in order to ensure that we were complying with the technological aspects of the Health Insurance Portability and Accountability Act, commonly known as HIPAA.

We are pleased that all our preparation work and testing translated to a smooth transition with only a few minor and quickly-remedied error messages. We hope you agree. If you don’t, please let us know.

Why is NPSC taking steps to become HIPAA compliant?

We believe that some Healthcare Hospitality Houses fall under the HIPAA umbrella, and that NPSC, because we store and transmit Protected Health Information (PHI) gathered by Houses, are then liable too.

What is Protected Health Information?

Protected health information (PHI) is defined in HIPAA and the amendments and regulations related to that law. Simply put, Protected Health Information is health-related information about an individual that needs to be protected because it could be used, abused, or misused by an individual, employer, potential employer, insurance company, etc., in a way that would harm the patient.

When a hospitality house collects a guest’s name and the name of the patient the guest is visiting (or when the guest is a patient), the basic linking of a patient’s name to the hospital where the patient is being treated puts the hospitality house in the position of having some PHI. The house may also collect personally-identifiable information such as address, telephone numbers, and the like.

Many Hospitality HouseKeeper (HHK) users collect even more than that basic data set. For grant-writing purposes, they also collect the patient’s room number or the floor or department within the hospital where the patient is being treated (e.g., oncology, transplant unit), the name of the attending physician, and/or the main diagnosis. Tracking the number of days that the patient is in the hospital in HHK constitutes additional PHI that must be protected under HIPAA.

Why is protecting such information not just an issue for Houses?

HIPAA requires that any entity that gathers PHI take steps to protect it. The lingo for such bodies in the actual law is “Covered Entities.” Covered Entities must assure that the businesses they work with also guard the PHI. The official term for such companies is “Business Associate.” NSPC qualifies as a Business Associate because it stores data collected by healthcare hospitality houses. NPSC must therefore take extra precautions to safeguard the PHI that its customers are transmitting to NPSC to back up their database, even though NPSC does not use the PHI in its operations. The simple fact that NPSC has access to the data makes it necessary for NPSC to follow Business Associate practices.

What kind of special precautions is NPSC instituting?

  • All HHK clients who host with us have their data stored on a HIPAA-compliant server. For more information about what this entails, visit VMRacks.
  • Our staff and board members are trained and certified in HIPAA compliance.
  • We have designated a HIPAA Privacy Officer and a HIPAA Security Officer. They have taken additional training in HIPAA-compliance requirements and are the first line of contact should a hospitality house have questions.
  • We have implemented HIPAA-compliance policies and procedures.
  • We will conduct audits of our operations every six months to ensure that we are identifying and remedying any HIPAA-related issues.
  • In the months to come, we will be asking all our customers to sign a Business Associates Agreement (BAA) that spells out what we are doing and the measures we will take in the event of a breach of HIPAA regulations.

Why is NPSC doing this now?

In the early days of NSPC’s operations, houses were only gathering guest/patient names and the affiliated hospital. That minimal data set was so limited that no one was talking about the risk of a HIPAA breach originating from the healthcare hospitality industry. That has changed.

In April 2017, a remote cardiac monitoring provider (CardioNet) was fined $2.5 million and required to implement a corrective action plan to settle potential charges of noncompliance based on the impermissible disclosure of unsecured electronic protected health information (ePHI).

That $2.5 million definitely caught our attention! It came at a time when some potential clients inquired about NPSC signing a BAA. The confluence of events, coupled with customers asking for additional features in the software that expand the number of PHI data elements, made NPSC realize we had work to do! And we have done so over the past year.

We have educated ourselves about the increased protection we need to offer you, moved you to our secure server, and now you are benefiting from our expanded knowledge.

Does this mean your house has to become HIPAA compliant?

That is for your board of directors to decide in conjunction with your legal counsel and your risk assessment committee. One of our current clients is now tracking only patient initials in order to avoid having to deal with HIPAA. That’s an easy solution if it works for you operationally. Your house will need to weigh the cost of compliance with the risk to your operation. Our board did just that and we have taken the measures outlined above.

If you have further questions, feel free to contact us. We are happy to share what we know, although we will always remind you that NPSC is a software company, not legal counsel. We plan to share questions and answers on the Users Forum, so check there periodically.

Useful Links

Summary of HIPAA Privacy and Security Rules

HIPAA training site that we use

HIPAA Compliance page for VMRacks (our new server)