Unlocking HIPAA Compliance: An Expert Interview with Jim Gorham on Simplifying Healthcare Data Securit

0 8 5 minutes read

unlocking-hipaa-compliance:-an-expert-interview-with-jim-gorham-on-simplifying-healthcare-data-securit

The Health Insurance Portability and Accountability Act (HIPAA) is a key function of the healthcare industry. Patients trust their physicians to meet their medical needs while always protecting their Protected Health Information (PHI). This requirement even applies to the forms that are utilized everyday, such as dental intake forms and consent forms at the doctor’s office. It can seem like a complex task to ensure HIPAA Compliance, but it actually can be approached in a simple and efficient way.

With a pharmaceutical background combined with executive experience in a number of companies, including HIPAAtizer, Jim Gorham sat down with us to help simplify some of the aspects of HIPAA Compliance.

Jim, tell us about what your company does?

With HIPAAtizer, we were looking to develop an easy-to-use, easy-to-install, easy-to-understand HIPAA-Compliant form solution for web developers, agencies, and other people wanting to “HIPAA-tize” a website for their healthcare clients.

What does HIPAA Compliance actually mean?

In our world, what it means is, how does HIPAA impact a website. If we break down the parts and look at the different aspects of HIPAA and where the impact is on a website, everything goes back to PHI, Protected Health Information. How does a website collect, manage and transmit this information.? How does it process all the PHI that it might come in contact with? Just because you’re a doctor doesn’t necessarily mean your website has to be HIPAA Compliant. But, if you are collecting, transmitting PHI, then you really have to be HIPAA Compliant.

When does vendor or service provider need to sign a HIPAA-Compliant Business Associate Agreement?

You don’t necessarily have to certify it unless you’re really doing something with PHI. If the website is collecting PHI, then there has to be an understanding of the roles and responsibilities of both sides. So, if you’re storing medical information and personal information that you can identify who a person is, and you can identify and link them to medical conditions or medical information, that becomes a HIPAA issue. Anybody who’s storing or transmitting that information on behalf of a covered entity, on behalf of a healthcare provider, they have to, according to HIPAA, sign a Business Associate Agreement saying that they’re in full compliance with HIPAA and their operations.

If they’re using a third-party service and they don’t actually store PHI, is there anything that they have a liability for?

If there’s no PHI involved, there’s no risk. The only risk is reputational or having to take the time to explain to your client where the risks may lie.

HIPAA Compliance can seem complicated, is it more straightforward than we think?

It seems that there is a “HIPAA industrial complex” out there that’s existing only to make it more complex and confusing to people who aren’t HIPAA specialists. Once we delved into the product and HIPAA itself, it was relatively straightforward on the steps you had to take from a technical, administrative and security viewpoint to be HIPAA Compliant. It’s not that scary. It’s not that difficult. But there are a number of formal things that you have to go through in terms of different audits and implementing internal policies. It is key to remember that at the end of the day, if you’re not touching the PHI, if you’re not holding the PHI, if you’re not transmitting the PHI, you’re not doing anything with the PHI, there’s no risk to you.

When the physician wants forms completed on their website with the results sent to his staff, where does HIPAAtizer come in?

HIPAAtizer works as a plugin or a link to a form on a website. Only that little component within the website has to be HIPAA Compliant. The rest of the website doesn’t have to be HIPAA Compliant unless you store patients’ information. You don’t have to choose expensive hosting for hundreds or thousands of dollars a month for extra HIPAA Compliance certification for the overall server.

All you need is the plugin or the individual forms that you’re putting on your website to be HIPAA Compliant. That particular plug-in or the iFrame or the code that’s put onto the website, that’s our code. We’re responsible for that form to keep it HIPAA Compliant. And then it just pushes the data directly to a dashboard that’s only accessible to the healthcare worker or the healthcare professional’s staff.

Who is able to see the data from these forms?

There’s different ways to give access to the developer if they need to edit some of the forms.

Through HIPAAtizer, you can make changes to the form, to the fields on the form, but you never see the data. It provides an extra level of protection to a web designer and, at the same time, is fully HIPAA Compliant. So the covered entity, the healthcare provider, is also secure knowing that the developer can’t access the PHI.

What kind of assurance comes with having HIPAA-Compliant forms?

All of our forms have the ability to include a little watermark at the bottom. This form is HIPAA Compliant. So when you’re filling out a HIPAAtizer form, if the doctor hasn’t disabled that feature, all the forms will say at the bottom, ‘These are HIPAA Compliant.’

Does your service include the conversion of forms into web-based forms, or is that something that the service provider might have a billing opportunity to do?

That’s up to the service provider. If the agency wants to do that and wants to add value to the doctor, no problem. They can do it. We have a drag-and-drop HIPAA-Compliant form builder where they can easily convert the existing form into a web form. Also, we do it for free because, at the end of the day, it can be labor-intensive. We do 10 to 15 forms a day, we’ve got a team that can process these much more efficiently than a marketing agency could. That’s a value to the service provider and the client because we will process one form for free and more forms at no extra cost as long as they sign up for the service.

What happens if a physician already has a form that they want to use. Can they still benefit from using HIPAAtizer?

Initially, we created a number of templates. Then we started talking to more doctors that didn’t want to use our templates, they wanted to use their own forms while wanting to keep HIPAA Compliance online. For a doctor, it’s about efficiency. They are used to a certain format of the forms and they are reluctant to change to a new format One of our key value added services is the free form conversion service. It’s not a fillable PDF online, it’s an actual web form which then maps into a PDF so that the doctor can receive the information exactly as he’s used to receiving it for the last 5, 10, 20 years. We’ve got the team that does it all the time, we’re extremely efficient. We’re developing a tool right now to actually automate that process. We’re always looking for a way to make the process faster. Efficiency at every step of the healthcare process is essential.