Skip To Navigation Skip To Content Skip To Footer
    Rater8 - You make patients happy. We make sure everyone knows about it. Try it for free.
    Insight Article
    Home > Articles > Article
    Cristy Good
    Cristy Good, MPH, MBA, CPC, CMPE

    To determine if a practice management software (PMS) meets HIPAA compliance, you should evaluate several key aspects of the software's features and security measures.

    Here are the steps to assess compliance:

    1. Understand HIPAA requirements

    Familiarize yourself with the HIPAA Privacy Rule and Security Rule, which set standards for protecting sensitive patient information. The Privacy Rule governs the handling of protected health information (PHI), while the Security Rule focuses on safeguarding electronic PHI (ePHI) through administrative, physical and technical safeguards.

    2. Evaluate security features

    • Data encryption: Ensure the software uses encryption for data at rest and in transit to protect ePHI from unauthorized access.
    • Access controls: Check for role-based access controls that restrict data access based on user roles, ensuring that only authorized personnel can view or modify sensitive information.
    • Audit trails: Look for comprehensive logging features that track user activity, which is essential for monitoring access and identifying potential breaches.

    3. Assess compliance documentation

    • Business associate agreement (BAA): Confirm that the software vendor is willing to sign a BAA, which outlines how they will handle PHI and comply with HIPAA regulations.
    • Security risk assessment (SRA): Inquire if the vendor conducts regular security risk assessments to identify and mitigate vulnerabilities in their system.
      • Click here for top recommendations for HIPAA Security Risk Assessments for physician practices.

    4. Review incident response procedures

    Ensure the software/platform has established protocols for responding to security incidents, including notifying affected individuals and regulatory bodies in case of a breach.

    • Click here for MGMA’s Incident Response Plan Checklist.

    5. Check for regular updates and support

    Verify that the software is regularly updated to address security vulnerabilities and that the vendor provides ongoing support and training for users on HIPAA compliance.

    6. Conduct a security audit

    If possible, perform a security audit or seek third-party assessments to evaluate the software's compliance with HIPAA standards.

    SRAs should be performed at least once a year. Depending on circumstances, some may choose to do it biannually. In addition to scheduled assessments, organizations should conduct risk assessments in response to specific events such as changes in legislation or regulations, significant changes in technology or operational processes, security incidents or breaches, or when there is an introduction of new systems or equipment that handle PHI.

    Organizations should also implement ongoing monitoring of their security measures and regularly review their risk management processes.

    How to ensure the new software integrates seamlessly with current system:

    To ensure that new HIPAA-compliant software integrates seamlessly with your current system, consider the following strategies:

    • Conduct a thorough needs assessment: Before selecting new software, evaluate your current systems and identify the specific needs and gaps that the new software should address. This assessment will help you choose a solution that complements your existing infrastructure.
    • Check compatibility: Ensure that the new software is compatible with your existing systems. This includes checking for integration capabilities with other software applications, databases, and hardware you currently use. Look for software that supports standard protocols and APIs for easier integration.
    • Plan for data migration: Develop a clear plan for migrating data from your current system to the new software. This includes mapping out data fields, ensuring data integrity, and determining how to handle any discrepancies. Proper data migration is crucial for maintaining continuity and compliance.
    • Involve stakeholders early: Engage key stakeholders, including IT staff, end-users, and management, in the selection and implementation process. Their insights can help identify potential integration challenges and ensure that the new software meets the needs of all users.
    • Test integration before full deployment: Conduct pilot testing of the new software in a controlled environment to identify any integration issues. This testing phase allows you to troubleshoot and resolve problems before rolling out the software organization-wide.
    • Provide training and support: Ensure that staff are adequately trained on the new software and its integration with existing systems. Ongoing support is essential to help users adapt and to address any issues that arise during the transition.
    • Monitor and evaluate performance: After implementation, continuously monitor the performance of the new software and its integration with existing systems. Regular evaluations can help identify areas for improvement and ensure that the software remains compliant with HIPAA regulations.
    Cristy Good

    Written By

    Cristy Good, MPH, MBA, CPC, CMPE

    Cristy Good, MPH, MBA, CPC, CMPE, is a Senior Industry Advisor at MGMA, with expertise in practice management, healthcare operations, revenue cycle management and project management. She has more than 20 years of experience in medical practice administration and financial management. Prior to joining MGMA, Cristy was a credentialed trainer with EPIC and helped prepare providers for one of the largest EHR implementations. For more than five years, she was an administrator with a large health system where she oversaw the strategic and daily operations for multiple outpatient medical practices and also spent six months working for a private home health agency. In addition, she has more than 10 years of clinical laboratory experience.


    Explore Related Content

    More Insight Articles

    Ask MGMA
    An error has occurred. The page may no longer respond until reloaded. Reload 🗙