HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > HIPAAdvisor Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

HIPAAdvisor: Q & A with Steve Fox

Software HIPAA Compliancy

QUESTION #4: My organization plans to purchase several new software products in the coming months. How can we be certain that the software we purchase is HIPAA compliant? Has the government developed a list of required software features and functions?

ANSWER: No. HIPAA's security requirements are technology neutral. The proposed regulations give health care organizations the flexibility to decide how they will implement HIPAA's security mandates. Although there are minimum requirements for certain technology solutions, the software needs and requirements of any individual organization will depend upon that organization's HIPAA compliance plan, existing systems, and security procedures. There aren't any one-size-fits-all software features or functions that automatically insure HIPAA compliance. Software solutions that are congruent with the security protocol of one organization may be inadequate to meet the needs of another.

When selecting software products, organizations must be cognizant of the ever-evolving nature of technology and its application in the health care industry. In this dynamic environment software products are more than just the sum of their parts. They are the tangible components of the partnership between health care organizations and software vendors. Organizations should be careful to partner with software vendors that offer viable solutions today and demonstrate the commitment and capacity to develop solutions for tomorrow as well.

Following are several criteria to consider during software product/vendors evaluation:

  • Are the software enhancements, updates, or upgrades necessary to implement the organization's HIPAA compliance plan included in the cost of support and/or maintenance?
  • Does the vendor guarantee the availability of support and/or maintenance for a specified minimum number of years?
  • Is the software scalable?
  • If the software has security features, are they compatible with the organization's HIPAA compliance strategy? If the software does not contain security features, are customizations available to create such features? If so, at what cost?
  • If currently licensing software from the prospective vendor, how responsive is the vendor to the organization's maintenance, customization and support requirements?
  • How long has the vendor been in business? Is the vendor financially viable? What is the likelihood that the vendor will be acquired during the term on the contract. [See Siemens-SMS merger deal.]

This list is by no means exhaustive. Also, consider other issues that may be of particular importance to your organization's security protocol.

Read past HIPAA Legal Q/A articles.

Steve Fox, Esq., is a partner in the Washington, D.C. office of Pepper Hamilton LLP. Pepper Hamilton LLP is a multi-practice law firm with more than 400 lawyers in ten offices. A specialist in healthcare, Steve is a frequent writer and speaker on healthcare information management and technology issues. www.pepperlaw.com/

This article was co-authored by Rachel H. Wilson, Esq., an associate at Pepper Hamilton.

Disclaimer: Steve's responses offer information that is general in nature and should not be relied upon as legal advice. Only your attorney is qualified to evaluate your specific situation and provide you with customized advice.

Have a question you'd like Steve to discuss in HIPAAlert? Send it to and he'll be glad to consider using it in a future column, with or without attribution.