What Is The Best HIPAA Compliance Software?

The best HIPAA compliance software is an effective compliance management tool that helps a covered entity navigate the complexities and stringent requirements of  HIPAA compliance.

The vast majority of healthcare organizations in the USA do not employ a professional compliance officer and HIPAA compliance falls to an administrator or practice manager. This guide is aimed at these people. If you are a compliance professional then please see our guide to Healthcare Compliance Software (Ian add hyperlink).

What Are The Benefits Of HIPAA Compliance Software?

  • Remove the complexities and stress of compliance
  • Reduce risk
  • Increase patient loyalty and the profitability of your business

What To Consider When Purchasing HIPAA Compliance Software?

There are three aspects to consider when purchasing a HIPAA compliance software solution.

  1. Key Features or Functionality
  2. Key Components
  3. Commercial Considerations

This guide is divided into three sections covering these separate aspects requiring consideration. By following this buyer’s guide framework, the organization can make a thorough assessment of available HIPAA compliance software options and select the most suitable solution to support their compliance efforts effectively.

1. What Are The Key Features Of HIPAA Compliance Software?

The software helps healthcare providers to implement robust measures, such as encryption, access controls, auditing, and regular risk assessments. By centralizing and automating the compliance process, HIPAA compliance software optimizes data protection efforts, mitigates potential breaches, and fosters a culture of compliance within the healthcare industry.

  • Security risk assessment
  • Gap identification
  • Remediation plans
  • Proper storage of HIPAA policies and procedures
  • Employee training
  • Business Associate Agreements
  • Breach incident reporting
  • Risk assessment tools
  • Policy and procedure management
  • Access controls and user management
  • Incident response and breach management
  • Audit logging and reporting capabilities
  • Encryption and data protection measures

What other features should you consider for  your HIPAA compliance solution?

A lot goes into a healthcare compliance program, and our solution helps automate the process. Whether you need HIPAA, OSHA, SOC 2, or all three, your compliance program is fully customizable.

Our software has everything you need for compliance: templated policies and procedures, risk assessments, comprehensive training for your entire staff, vendor management, incident reporting, and more. No matter your needs, our software provides guided action items to meet your requirements with ease.

Solve healthcare compliance challenges quickly and confidently with simplified software. . Endorsed by top medical associations, clients can be confident in their compliance program.

2. What Are The Key Components Of HIPAA Compliance Software?

Scalability and Flexibility

Considerations regarding the scalability of the software to accommodate the organization’s growth and evolving compliance needs.

Integration Capabilities Examination of the software’s ability to integrate with existing IT infrastructure and other third-party applications used within the organization.


3. What Are The Commercial Considerations When Choosing HIPAA Compliance Software?

Do they offer comprehensive help setting up their HIPAA compliance software for you?

Do they offer a free trial period?

Do they offer discounts? For example, for an association you may belong to already.

Vendor Reputation and Support:

  • Research on the vendor’s reputation within the healthcare industry and their track record in providing reliable software solutions.
  • Availability and responsiveness of customer support services, including training resources, technical assistance, and ongoing maintenance.
  1. Cost Considerations:
    • Transparent breakdown of pricing structures, including initial setup costs, licensing fees, and any additional charges for support or updates.
    • Comparison of pricing models (e.g., one-time purchase vs. subscription-based) and considerations of long-term affordability.
  2. Case Studies and Customer References:
    • Review of case studies or testimonials from other healthcare organizations that have successfully implemented the software.
    • Requesting references to directly speak with existing customers about their experiences with the software and vendor.


The post What Is The Best HIPAA Compliance Software? appeared first on HIPAA Journal.

96% of Hospitals Still Use Website Tracking Technologies That Share Data with Third Parties

An analysis of the websites of non-federal acute care U.S. hospitals has confirmed that 96% of those websites use tracking technologies that share visitor data with third parties such as Meta, Google, LinkedIn, or Snapchat.

In December 2022, The Department of Health and Human Services issued guidance for HIPAA-regulated entities on the use of website tracking technologies. The guidance made it clear that under HIPAA, these technologies cannot be used if they share protected health information with third parties unless the third parties in question are authorized to receive the data – and a HIPAA-compliant business associate agreement is in place – or if consent to share the data is obtained from patients. In July 2023, OCR and the Federal Trade Commission (FTC) issued around 130 warning letters to hospitals and telehealth companies to remind them of their obligations under HIPAA with respect to website tracking technologies.

OCR issued updated guidance in March 2024 clarifying its position, confirming that OCR accepts that not all information collected through these tools is classed as protected health information, stressing that “regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”

Prior to OCR issuing guidance, a study conducted by researchers at the University of Pennsylvania in Philadelphia determined that 99% of hospitals in the United States were using tracking technologies on their websites that transferred data to third parties. A follow-up study – published in the JAMA Network – was conducted on 100 hospitals between November 2023 and January 2024 that looked at whether hospitals were transferring visitor data to third parties via these tracking technologies and if they had easy-to-find privacy policies that advised visitors about the use of these tools, how and why data was collected, and the third parties that received that data.

Out of 100 hospital websites, 96 transferred user information to third parties. 71 websites had privacy policies, 69 stated the types of information that was automatically collected, 70 indicated how that data would be used, 66 stated the categories of third parties that would receive the collected information, but only 40 named the specific third parties that would receive the data. While some privacy policies state well-known names of companies that receive the data, Google for instance, the researchers note that hospital websites transfer data to a median of 9 domains, with previous research indicating many unfamiliar companies receive data from hospital websites, including data brokers and companies with little to no consumer-facing presences. The researchers point out that a substantial number of hospital websites are not providing users with adequate information about how their data will be collected and used, either by not including a privacy policy or not disclosing sufficient information to website visitors about how their data will be used.

The post 96% of Hospitals Still Use Website Tracking Technologies That Share Data with Third Parties appeared first on HIPAA Journal.

Epic Systems Shuts off Access for Certain Particle Health Customers Over Patient Privacy Concerns

The electronic health record provider Epic Systems has cut off access to data for a startup called Particle Health after alleging the firm was sharing patient data with third-party companies for reasons not related to treatment. Epic, the largest provider of electronic health records in the United States, alleged that Particle Health was engaging in unauthorized and unethical data sharing that had the potential to violate the HIPAA Privacy Rule. On Thursday last week, Epic notified customers that the connection with Particle Health had been cut off.

Particle Health is a member of the Carequality network, which supports interoperability and facilitates health data exchange. Members of the network act as middlemen that connect different healthcare networks across the United States and the Carequality interoperability framework is used to exchange more than 400 million documents each month. To join the Carequality network, a company must agree to only share patient data for certain purposes, one of which is for treatment. Epic responds to requests for data for treatment purposes and requires the recipient to be providing care to the patient whose records have been requested.

On March 21, 2024, Epic filed a formal dispute with Carequality about Particle Health and its participant organizations and alleged that they may be inaccurately representing the purpose for record requests and suspended Particle Health’s connection the same day. Particle Health explained in an April 9, 2024 blog post that immediate action was taken to address the issue after Epic blocked access to data requests for a subset of its customers and confirmed that it is strongly committed to privacy and security and subjects its customers to a rigorous onboarding process and requires them to adhere to the standards of the Carequality framework. Particle Health explained that Epic did not shut off data access for the company and Carequality has not suspended Particle Health’s ability to participate in data exchange; however, on March 21, 2024, Epic stopped responding to data requests for some of Particle Health’s customers without a clearly stated reason for doing so.

Particle Health also expressed concern that certain individuals at Epic thought that some of its customers might be inaccurately representing the purpose associated with their record retrievals, then extrapolated that to assert that Particle Health might not be fulfilling its obligations as a Carequality implementer. Particle Health said it strongly objects to the latter and is happy to investigate the former, and pointed out that the company has always acted in good faith and followed guidelines and said there is no standard reference to assess the definition of treatment nor the application of the definition of treatment as it pertains to data requests.

“This decision has negatively impacted thousands of patients, and potentially puts 6M+ patient encounters per year at risk,” explained Particle Health founder, Troy Bannister, in a post on LinkedIn. “We believe strongly that this unilateral action is a violation of important rules developed to ensure that this doesn’t happen and is critical to the uninterrupted treatment of patients everywhere.”

Epic said the reason for cutting off access was due to anomalies in patient record exchange patterns, such as requests for large numbers of records in a particular geographic region, and that certain Particle Health customers were not sending back new data from patients, which is a red flag that suggests the data is being shared for reasons other than treatment. After evaluating Particle Health’s new participant connections, including organizations such as Integritort, MDPortals, and Reveleer, Epic determined that data sharing was likely not for treatment purposes and blocked access for a subset of Particle Health’s customers. Epic also said that it heard from another Carequality member that Integritort was attempting to use patient data to identify participants in a potential class action lawsuit. Epic requested that Particle Health provide further information on how its customers qualify for treatment uses.

“We have made significant progress towards resolving this connectivity, with some customers already turned back on,” explained Particle Health in a blog post. “We are continuing working collaboratively with Epic and remain committed to upholding our mission by standing up for our customers and supporting the legitimate use of health data exchanges.”

The post Epic Systems Shuts off Access for Certain Particle Health Customers Over Patient Privacy Concerns appeared first on HIPAA Journal.

FTC Fines Mental Health Company Cerebral $7.1 Million for Consumer Privacy Violations

The Federal Trade Commission (FTC) has fined the mental health startup Cerebral $7.1 million for consumer privacy violations and deceptive trading practices. The $7.1 million financial penalty resolves allegations that the mental health telehealth company and its former CEO, Kyle Robertson, broke its privacy promise to consumers by impermissibly disclosing their sensitive personal and health information to third parties for advertising purposes, misled consumers about its cancellation process, and failed to protect sensitive health data. The proposed FTC order includes a requirement for Cerebral to refrain from disclosing consumers’ data to third parties for advertising purposes without consent and for the company to provide an easy way for consumers to cancel its services.

One of the most important factors for consumers when choosing a mental health care provider is privacy. Consumers need to be able to discreetly discuss highly sensitive mental health problems and be sure that the information disclosed is kept private and confidential. The FTC alleged that Cerebral claimed it provided safe, secure, and discreet services but failed to clearly inform consumers that their sensitive data would be shared with third parties. As a result of the information sharing, consumers could be targeted with advertisements related to the information they disclosed to Cerebral in confidence.

Cerebral had disclosed its data sharing practices in its privacy policies; however, those privacy policies were dense and the information about data sharing practices was deeply buried making it likely that consumers would not see it. Further, Cerebral claimed in multiple areas that it would not share consumer data with third parties for advertising purposes without their consent. According to the FTC complaint, Cerebral shared the sensitive data of almost 3.2 million consumers with third parties such as Snapchat, LinkedIn, and TikTok via tracking tools embedded in its websites and apps, which amounted to a deceptive business practice that violated the FTC Act.

The information disclosed to those third parties included names, addresses, email addresses, phone numbers, birth dates, IP addresses, medical and prescription histories, pharmacy and health insurance information, other types of health information, and other personal data such as religious and political beliefs and sexual orientation. That information was also available internally to Cerebral staff, with access to customer data not restricted to the employees who needed to view that information. Between May 2021 and December 2021, former employees could continue to access consumer information and the company failed to ensure that healthcare providers could only access their own patients’ records.

The FTC complaint alleged that Cerebral engaged in sloppy marketing practices. For instance, 6,000 postcards were mailed to patients that included patients’ names and language that would reveal their diagnosis and treatment to others, rather than using envelopes and Cerebral used a Single Sign-on solution that exposed patient data to other patients when they signed into the patient portal at the same time.

The FTC also alleged that Cerebral and its CEO violated the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA) due to engaging in unfair and deceptive practices regarding substance use disorder treatment services and violated the Restore Online Shoppers’ Confidence Act (ROSCA) by failing to clearly disclose all material terms of its cancellation policies before charging consumers. The alleged deceptive practices started while Robertson was CEO and continued after his tenure.

The FTC order has yet to be approved by the U.S. District Court for the Southern District of Florida. If approved, in addition to the financial penalty and ban on disclosing sensitive data for advertising purposes, Cerebral is required to post a notice on its website alerting consumers about the FTC order, delete consumer data that is not being used for either treatment, payment, or healthcare operations if users have not consented to those uses, provide consumers with a mechanism to request that their data is deleted, and adopt a data retention schedule.

The financial penalty includes $5.1 million to provide partial refunds to customers affected by its deceptive cancellation policies. A $10 million civil monetary penalty has also been imposed, which will be suspended after $2 million has been paid due to the inability of the company to pay the full amount.

“As the Commission’s complaint lays out, Cerebral violated its customers’ privacy by revealing their most sensitive mental health conditions across the Internet and in the mail,” said FTC Chair Lina M. Khan. “To address this betrayal, the Commission is ordering a first-of-its-kind prohibition that bans Cerebral from using any health information for most advertising purposes.”

“Cerebral has been transparent and fully cooperative throughout the investigation and remains committed to providing excellent care for our valued patients while upholding the highest standards of customer service, data protection, and client privacy,” explained Cerebral in a statement about the FTC order.

The post FTC Fines Mental Health Company Cerebral $7.1 Million for Consumer Privacy Violations appeared first on HIPAA Journal.

Orrick, Herrington & Sutcliffe Agrees $8 Million Settlement to Resolve Class Action Data Breach Lawsuit

The San Francisco, CA-based law firm Orrick, Herrington & Sutcliffe has agreed to a $8 million settlement to resolve a class action lawsuit filed in response to a 2023 cyberattack and data breach.

In March 2023, the law firm that specializes in helping companies that have experienced security breaches suffered one of its own. On March 13, 2023, hackers were discovered to have gained access to its network, with the forensic investigation revealing they had access for around two weeks between February 28 and March 13, 2023, before the intrusion was detected. The personal and protected health information of 637,620 individuals was compromised; however, it took months to determine how many individuals had been affected with the last batch of notification letters mailed to affected individuals in January 2024. The affected individuals were offered 2 years of complimentary credit monitoring services.

A lawsuit was filed against Orrick, Herrington & Sutcliffe in the U.S. District Court for the Northern District of California shortly after the announcement about the breach. The lawsuit made several allegations, including the failure to secure its systems, the failure to prevent and stop the breach, the failure to detect the breach in a timely manner, and the failure to disclose material facts that adequate system security measures were not in place to prevent data breaches. The lawsuit also alleged Orrick, Herrington & Sutcliffe did not honor repeated promises and representations to protect the information of the breach victims and failed to provide timely notifications. Several other lawsuits were filed over the breach that made similar claims, and they were consolidated into a single action – In re Orrick Herrington & Sutcliffe LLP Data Breach Litig.

The plaintiffs alleged they had been harmed by the data breach, including receiving a flood of spam emails and phone calls, actual and attempted identity theft, and other misuse of their personal information. Orrick, Herrington & Sutcliffe has denied liability and wrongdoing and said it regretted the inconvenience and distraction that the malicious incident caused. The proposed settlement was deemed to be reasonable and fair by class counsel and has received preliminary approval from the court. Under the terms of the settlement, class counsel may claim up to 25% of the settlement amount and after costs of up to $50,000 and $2,500 service awards for the lead plaintiffs have been deducted, the remainder of the settlement will cover claims from individuals affected by the data breach.

The settlement includes up to 5 hours of compensation for lost time at $25 per hour, reimbursement of up to $2,500 for unreimbursed out-of-pocket expenses, reimbursement of up to $7,500 for extraordinary losses such as identity theft and fraud, and three years of three-bureau credit monitoring services. California residents are entitled to a cash payment of $150. If class members choose not to submit a claim for lost time and reimbursement for out-of-pocket expenses and extraordinary losses, a claim may instead be submitted for a cash payment of $75.

The post Orrick, Herrington & Sutcliffe Agrees $8 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.