- Is Slack HIPAA compliant?
- Is Skype HIPAA compliant?
- Is Zoom HIPAA compliant?
- Is Gmail HIPAA compliant?
- Is Google Drive HIPAA compliant?
- Is Dropbox HIPAA compliant?
- Is Facetime HIPAA compliant?
1) Will the vendor sign as business associate agreement?
An efficient way to determine if software is HIPAA compliant is by conducting a web search for “Software Name HIPAA”. If HIPAA is important to a software vendor, they will likely have a page on their website to field questions about HIPAA compliance. While conducting your search you will mostly likely find 1 of 3 possible results:
Situation 1: The website has an entire page dedicated to HIPAA that states they are willing to sign a business associate agreement. This is the best outcome you could hope for and means the software is OK for further consideration. It’s important that the software you choose meets technical requirements, but the software vendor must also be willing to sign a business associate agreement stating they are responsible for your PHI.
Situation 2: The website has an entire page dedicated to HIPAA but does not proudly indicate they are HIPAA compliant or will sign a business associate agreement. Most software services that can meet the needs of healthcare providers have already been asked whether they are HIPAA compliant and have an answer ready in anticipation of being asked again (and again). If there are no clear statements proclaiming HIPAA compliance and a willingness to sign a business associate agreement, then that software is most likely not a HIPAA compliant choice. Rather than state their lack of HIPAA compliance plainly, some software companies obfuscate their stance on HIPAA in hopes of making a sale. When in doubt, send their support team a message and ask if they sign business associate agreements. If they will not sign, then cross them off the list. Another option you have is to ask a potential business associates if they will share their risk assessment. Organizations who have not conducted a risk assessment will be found willfully negligent if they breach PHI you are stewarding. Subsequent HHS investigations may determine you are negligent as well.
Situation 3: The website for the software does not mention HIPAA at all. If you’ve searched the official website for the software you’re considering but see no hide nor hair of HIPAA and how PHI is managed, then the vendor is probably not accustomed to emphasizing HIPAA requirements or signing business associate agreements. Maybe their HIPAA page is buried or had accidently been removed, so it’s worth sending an email to their support team to ask if the software in question is an otherwise perfect fit for your business needs.
2) Does the vendor take HIPAA compliance seriously?
3) Does the software empower you to achieve compliance?
- Will the vendor sign a business associate agreement?
- Can the vendor provide some evidence they are truly HIPAA compliant, or are they just paying lip service to their HIPAA responsibilities?
- Once you have the software up and running, does it adequately support your own HIPAA compliance initiatives?
By asking the right questions to obtain reasonable assurance you can make the right decisions when choosing who to trust as a business associate.