Gazelle Consulting

Choosing HIPAA Compliant Software

Choosing HIPAA Compliant Software

There are many options to choose from when picking the perfect software to support your healthcare practice or service.

If you are looking for the answer to any of the following questions, check out our linked articles to determine if a software can be HIPAA compliant for your business.

If you still aren’t sure, keep reading to learn how to choose HIPAA compliant software for your business. 

How to Choose HIPAA Compliant Software

For most healthcare providers and business associates, handling electronic PHI is a daily responsibility. For each process in your business, there is software built to facilitate the transport of associated data.

But how do you know whether or not the software you’ve chosen is HIPAA compliant?

Before trusting a business associates to handle your PHI, you must obtain “reasonable assurance” that the information they use will remain confidential or disclosed only as required by law.

What does “reasonable assurance” mean?

Well it’s up to you to make that determination, but it should be based on the amount of risk you are willing to take on by partnering with your vendor. If the amount of risk you want your vendor to impart on you is “none” then be sure to turn over all appropriate stones.

Here are 3 factors that need to be considered when determining if software is HIPAA compliant.

HIPAA Compliant Software Checklist

We’ve provided a checklist of questions and some methods you can use to evaluate the security posture of your vendors and obtain “reasonable assurance” that they are compliant.

1) Will the vendor sign as business associate agreement?

An efficient way to determine if software is HIPAA compliant is by conducting a web search for “Software Name HIPAA”. If HIPAA is important to a software vendor, they will likely have a page on their website to field questions about HIPAA compliance.

While conducting your search you will mostly likely find 1 of 3 possible results:

Situation 1: The website has an entire page dedicated to HIPAA that states they are willing to sign a business associate agreement.

This is the best outcome you could hope for and means the software is OK for further consideration. It’s important that the software you choose meets technical requirements, but the software vendor must also be willing to sign a business associate agreement stating they are responsible for your PHI.

Situation 2: The website has an entire page dedicated to HIPAA but does not proudly indicate they are HIPAA compliant or will sign a business associate agreement.

Most software services that can meet the needs of healthcare providers have already been asked whether they are HIPAA compliant and have an answer ready in anticipation of being asked again (and again). If there are no clear statements proclaiming HIPAA compliance and a willingness to sign a business associate agreement, then that software is most likely not a HIPAA compliant choice.

Rather than state their lack of HIPAA compliance plainly, some software companies obfuscate their stance on HIPAA in hopes of making a sale. When in doubt, send their support team a message and ask if they sign business associate agreements. If they will not sign, then cross them off the list.

Another option you have is to ask a potential business associates if they will share their risk assessment. Organizations who have not conducted a risk assessment will be found willfully negligent if they breach PHI you are stewarding. Subsequent HHS investigations may determine you are negligent as well.

Situation 3: The website for the software does not mention HIPAA at all.

If you’ve searched the official website for the software you’re considering but see no mention of HIPAA software compliance and how PHI is managed, then the vendor is probably not accustomed to emphasizing HIPAA requirements or signing business associate agreements. It’s possible that their HIPAA page is buried or had accidently been removed, so it may be worth sending an email to their support team to ask if the software in question is an otherwise perfect fit for your business needs.

2) Does the vendor take HIPAA compliance seriously?

If you have a reason to believe the software vendor you are considering is willing to sign a business associate agreement, the next thing you should consider is whether they take the responsibility of handling PHI seriously. Use the vendor’s website to learn all you can about what security controls they have in place.

Is ePHI within their system encrypted in transit and at rest? Do they have policies and procedure documentation?

Do they conduct periodic risk assessments?

By signing a business associate agreement with a software vendor, you are indicating that you have considered their internal HIPAA compliance activities and believe they meet all requirements.

Ultimately you are responsible for how your patient data is handled and thoroughly vetting your vendors for compliance is a wise choice. If there is any question about their compliance activities, send their team a message and ask for more details. If you find the vendor will put your PHI at risk, their software is not a viable choice.

3) Does the software empower you to achieve compliance?

Good HIPAA compliant software should handle your data securely, but should also enable you to meet the HIPAA requirements outlined in your own policy and procedure documentation.

Does the software require authentication to access it and does it provide role-based access?

Does the software generate accessible logs you can use to periodically monitor user activity?

These features are required by HIPAA and empower you to spot potential data breaches as they occur, or investigate what happened if a breach does occur.


Software vendors that can confidently answer yes to the questions above are worth serious consideration when it comes to choosing HIPAA compliant software. Identifying the right software to manage ePHI is not difficult once you are aware of our HIPAA compliant software checklist:

  • Will the vendor sign a business associate agreement?
  • Can the vendor provide some evidence they are truly HIPAA compliant, or are they just paying lip service to their HIPAA responsibilities?
  • Once you have the software up and running, does it adequately support your own HIPAA compliance initiatives?

By asking the right questions to obtain reasonable assurance you can make the right decisions when choosing who to trust as a business associate.

Meeting HIPAA requirements can be a complicated endeavor.

If your situation is highly complex or you run into any questions not covered in this article, send Gazelle Consulting a message using our contact form or call (503)-389-5666 today. We are always available to answer your HIPAA compliance questions!

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest

Popular Posts

  • How to Handle the Loss or Destruction of Medical Records

    Whether it be an delete happy IT admin, a theft, or a glitch in your system, lost health records can have an impact on your patients...

  • 2018’s Most Interesting HIPAA Violation Cases

    2018’s Most Interesting HIPAA Violation Cases

    Since the 2003, the Enforcement Act, an addendum to HIPAA that gave the OCR the right to enforce HIPAA on behalf of the HHS, we’ve seen an ever increasing number of fines and breaches.

  • Who Enforces HIPAA?

    HIPAA, which stands for the Health Insurance Portability and Accountability Act, is enforced by the Office for Civil Rights (OCR), which is an arm of the Department of Health and Human Services (HHS).

  • Stronger HIPAA enforcement

    HIPAA Consent Form – How to Obtain HIPAA Authorization

    Earlier this month, the Office for Civil Rights (OCR) announced a new plan to strengthen HIPAA enforcement in response to criticism from the Office of Inspector General (OIG). The OCR will be beefing up their compliance investigations and expanding their audit program in 2016.

  • What is the Purpose of HIPAA?

    What is the Purpose of HIPAA?

    HIPAA compliance can be confusing. Is it HIPAA or HIPPA? Do I need to be HIPAA compliant? Who enforces HIPAA? Gazelle Consulting is here to answer your questions and help you to achieve compliance quickly and painlessly!