Improved technology and the recent pandemic created new opportunities for healthcare practitioners and their patients to communicate electronically. OhMD has developed a platform rich with features, including two-way texting, video visits, and patient calling.
While its features may be impressive, potential users must ask, is OhMD HIPAA compliant?
What Makes a Software Tool HIPAA Compliant?
Regarding software, there are specific indications of the tool’s HIPAA compliance. Software HIPAA compliance really boils down to two things. Does the tool have safeguards to keep patient data private and secure? Does the software provider sign business associate agreements?
When the answer to both of these questions is “yes,” the tool is likely HIPAA compliant. If the answer to either is “no,” the tool is not HIPAA compliant.
What Are HIPAA Safeguards?
HIPAA safeguards are measures that a healthcare organization puts into place to protect the confidentiality, integrity, and availability of protected health information (PHI). HIPAA categorizes safeguards into three groups – administrative, physical, and technical.
Administrative safeguards are written policies and procedures that dictate proper uses and disclosures of PHI.
Physical safeguards like locks and alarm systems protect an organization’s physical location.
Technical safeguards are measures that protect electronic PHI (ePHI).
While administrative and physical safeguards are essential, technical safeguards are generally the determining factor of a software provider’s HIPAA compliance. You should expect technical safeguards to include encryption, user authentication, access controls, and audit controls.
Why is a Business Associate Agreement Important?
Business associate agreements are a vital determinant of HIPAA compliance. Even the most secure software platform is NOT HIPAA compliant is they will not sign a business associate agreement (BAA).
Why?
A BAA is a legal agreement that requires each signing party to be HIPAA compliant and be responsible for maintaining compliance. A BAA limits the liability for both signing parties in case of a breach or OCR audit, as only the negligent party would be held culpable.
Is OhMD HIPAA Compliant?
So, is OhMD HIPAA compliant? OhMD encrypts PHI data when in transit and at rest. Their software also allows account management to be handled by client-side Admins and/or OhMD Support. Ability to access and level of access can be managed per user, with all users needing unique usernames and passwords. This appears to fulfill the technical requirements of the HIPAA Security Rule.
OhMD also has a BAA on its website that clearly defines the responsibilities of each party. Furthermore, they have BAA’s in place with all their service providers, including Amazon for web hosting.
Based on these criteria, OhMD appears to be HIPAA compliant.
