Chris Reddick (president, CEO, and co-founder of Clarity Ventures) and Ron Halversen (vice-president sales and marketing) get together to give an overview of HIPAA compliance. 

Part 1 of a 4-part series 

CHRIS REDDICK: Hello everyone, and welcome. Today's webinar is going to be going over HIPAA and today you've got Chris Reddick and Ron Halversen here, and I'm one of the founding partners of Clarity. Clarity is, among other things, an enterprise eCommerce and integration platform development company. And as a result of our many different integrations and projects over the years with eCommerce portals, medical app development, we've done a lot of work with HIPAA, and in particular with security and privacy and dealing with medical organizations, EMR/EHR, and so today we're going to be walking you through some of the things that we've learned over these 15 years. And I'm going to be going into some of the technical details. And Ron, who is the sales and marketing VP, he’s going to be going over all of his experiences, and Ron has an amazing background. And Ron, if maybe you can share just a little bit more about your background than I just did.

RON HALVERSEN: Yeah, no problem. So my background actually started technical, so 25 years ago as director of IT at WordPerfect and Novell. And so I was an engineer by trade and then moved into marketing after that. So very technical but really understand now the business and how technical solutions are affected by and can cost businesses. So Chris is definitely our technical resource today to really keep us honest and dive into the really technical details of HIPAA and a doctor portal website. And then I'm here to hopefully talk about how that applies to your business and how maintaining compliance is something that would be important for you.

what is hipaa

CHRIS: Thanks Ron, and just to get us started, one of the key questions that we hear from clients and even from acquaintances and business partners that we interact with is, “what exactly is HIPAA?” From there the question is “how does it apply to my organization specifically?” One of the things that’s really helpful to understand about HIPAA is that, unfortunately, it's rather overarching, and it does encompass a lot.

PHI stands for protected healthcare information, and therefore ePHI stands for electronic protected health care information. With regards to this discussion today we're going to be getting into some of the nuances and some of the areas that really are related to digital ePHI, digital and software-related aspects of this. We want to make the point that, generally speaking, HIPAA is going to apply significantly, and for most organizations, primarily outside of the online and software side of things. However, when it comes to online presence, mobile applications, websites, or any software integration—EMR/EHR systems, internal systems that are holding some of this ePHI data—those are some of the most scary and uninformed areas for many health care providers, commonly known as “covered entities” or CEs.  Ultimately what we’re looking to do with this conversation today is really give you some perspective on what HIPAA is in this context. But we want you to know that, technically, we could just go down so many different rabbit holes and talk about this for days and days and not completely cover everything. So we want to call that out so that you know that, whether you talk with us offline or you review some of our other detailed webinars or information that we have on HIPAA, we are going to be giving high level concepts. By generalizing some of them,we may not 100 percent cover all of the nuances.

Generally speaking, HIPAA, with regards to online and software, is comprised of these four rules: Privacy, Security, Enforcement, and Breach Notification. We're going to go into these in detail and break these apart. And so how does it apply? Well, you kind of need to know how those rules work in order to really get into the weeds, so we're going to kind of break that apart and get into that detail as we go. But one of the things that we can start with is “when does it not apply to an organization?” Generally speaking, if there isn’t ePHI or PHI data, and there isn't sensitive information that’s being stored or transmitted, then HIPAA doesn't apply. Ron, I'd love for you to bat it back and forth with me and talk about some scenarios that you see where it doesn't apply.

what is hipaa

RON: Yeah. As a little background, in the 15 years we've been in business, we've done over 1300 websites, and our largest vertical is medical. So a lot of the information I'll be providing is what I've seen in doing a significant number of these medical websites for many of our clients, and we're happy to talk to you guys at any time about that. But to answer your question specifically, Chris, for example, let's say a client has a...well, here's a real scenario. One of our clients, they do therapeutic services. So for child development services in the first three years of their life, they do developmental like occupational therapy, physical therapy, speech therapy, things like that. And so we built a website for them a number of years ago, and it was just a simple non-secure website. It was many years ago when SSLs weren't really even a thing. 

And so they had that, and it was really a website to help drive business to bring new therapists to work there. So it didn't have to be HIPAA compliant. And so we built the website, it ran really well. Then he had to start doing some SEO, and it started driving a lot of traffic to the website, so much so that patient started coming and going, well, hey, can I sign up directly with you rather than being prescribed from a doctor, and they said, yes. So the next call to us was, okay, we need to be able to onboard our clients. 

Well, when they onboard a client, that's obviously going to gather some of this protected information, information about diagnoses and things that might be wrong with their children that they need help with, and so we had to start collecting data. Well, the client didn't have enough money to go back and migrate the website to a whole new HIPAA compliant hosted website and redo the whole website, so one of the things you can do is not store any of the PHI data. So Chris, you know what we did with that client, how would I have a secure onboarding form on this website, however, not violate PHI and store that data? 

CHRIS: Yeah, that's a great question. And it's something that might be overwhelming for folks. So there are forms that we can embed that you can work with a SaaS-based HIPAA form company and embed a form in the site, but the data for the form isn't actually persisted into the website itself, it's persisted into that form provider's data center, essentially. And so they're managing all of the HIPAA compliance through this SaaS-based service. And so we'll talk about this later, but you can essentially get a BAA with them, because your organization will be referred to as a covered entity, a CE, and you want to get a BAA, a business associate agreement, which is essentially, without going into a lot of detail, it's basically this agreement between the CE and the other providers about what is actually being covered, and what is the responsibility of this partner with this HIPAA data. And so anyway, long story short, that's one flavor of doing this. There are many other flavors, but for a simple form, that's a great solution, isn't it? 

RON: Yeah. And one thing to really understand about when HIPAA does not apply is that, it doesn't apply like people think. I mean, I've seen so many videos and TikToks lately, and everybody's just like, you can't ask me my height or weight, you can't ask me my birth date, that's a HIPAA violation, and it's not. People don't understand that HIPAA doesn't apply to us as individuals. For example, I go to the doctor patient portal, and I can log in, and as a patient, I can see all of my medical records, I can see my lab test results, I can do anything I want. And if I was applying for life insurance, they may say, hey, we need these lab results or whatever, and I have every right to go into patient-doctor portals, download those files, extracting that PHI information out of that portal, and I can turn around and hand it to anybody I want. 

And that doesn't violate HIPAA, because I own the data, I have the right. What it really protects is, the life insurance person could not pick up the phone and call my doctor and say, hey, by the way, can you tell me Ron's last blood results, because that is protected healthcare information about a patient, and the patient has not given consent to give and distribute that information out. That's why a lot of times if you go to a doc, and you have to go to a specialist, what do they do? 

They refer you to the specialist, so you can go and share whatever, and then you have to sign that form that they make you say that you're able to share your information with another doctor, and you have to list that doctor, because you're the only one that can share that information. So if anybody asks you for HIPAA, they can ask you anything they want, you don't have to give it, but that does not violate. And that's probably the one thing I hear most from people, is they think if somebody asks them any question about their health, that they're violating HIPAA, and that's just not the case. 

CHRIS: That's right. And so I think the summary here is that HIPAA doesn't apply if you're not storing this ePHI data, and in particular for online scenarios in general, this PHI, protected health healthcare information. And so that's really the bottom line in general, and there are a lot of nuances to this, but let's get into when it does apply, and let's start by talking about one of the tenants of software and online HIPAA, which is the security rule. 

Continue to Chapter 2 to learn about the HIPAA Security Rule and the HIPAA Privacy Rule