Does accounting software need to be HIPAA compliant?

Accounting software used by entities handling protected health information (PHI) must adhere to HIPAA compliance standards if it stores, processes, or accesses identifiable patient data. HIPAA applies to covered entities and their business associates, including vendors offering accounting services. 

HIPAA and accounting software

HIPAA Privacy Rule

Regarding accounting software, the Privacy Rule applies to patient information stored within the system. It protects individually identifiable health information and controls who can access and use this data. This includes patient details, billing information, and other health-related specifics.

HIPAA Security Rule

The Security Rule sets standards for safeguarding electronic PHI (ePHI). In accounting software, this rule necessitates implementing specific administrative, physical, and technical safeguards. Administrative safeguards involve policies and procedures for maintaining security, training staff, and regular security assessments. Physical safeguards focus on the physical security of the systems storing the ePHI, such as secure access to servers or data centers. Technical safeguards require using technologies to protect the data, like encryption, access controls, and secure transmission methods.

HIPAA Breach Notification Rule

In case of a breach of unsecured PHI in the accounting software, affected individuals, the Secretary of Health and Human Services, and potentially the media must be notified. If there is unauthorized access, acquisition, use, or disclosure of PHI that compromises the security or privacy of the information, the rule requires notification within specific time frames, usually within 60 days of the breach. The accounting software must have mechanisms in place to promptly identify and report breaches.

See also: A guide to HIPAA's rules

How to select HIPAA compliant accounting software

Selecting HIPAA compliant software such as HIPAA compliant email or cloud storage options, requires consideration software features. Several factors should be taken into account, including:

1. Identify PHI handling requirements: Understand the specific PHI managed within the accounting software. This includes patient names, contact information, billing details, and any health-related specifics. Knowing what kind of data the software will handle is the cornerstone of understanding whether or not software needs to be HIPAA compliant.
2. Review vendor compliance: Research and assess potential software vendors or providers. Ensure they explicitly state their software is HIPAA compliant. Look for certifications, security measures, and adherence to HIPAA's Privacy, Security, and Breach Notification Rules. Verify if they sign Business Associate Agreements (BAAs) acknowledging their responsibilities in safeguarding PHI.
3. Security features: Evaluate the security features of the software. Look for encryption capabilities, access controls, and secure transmission methods for data. The software should have measures to ensure data security and prevent unauthorized access or breaches.
4. Data storage and backup: Understand where and how data is stored. The software should store data securely, with regular backups and disaster recovery plans in place.
5. Compliance documentation: Request and review the vendor's documentation regarding their compliance efforts. This could include policies, procedures, and guidelines related to HIPAA compliance.
6. User training and support: Check if the software provider offers training for users on HIPAA compliance and the software's security features. User training can reduce the risk of accidental breaches. Verify the availability of customer support in case issues or questions arise.

See also: HIPAA compliance for accountants