HIO-301 Free PDF - Certified HIPAA Security Updated: 2023

CRM in healthcare

A healthcare CRM with data analytics can help you determine which of your patients might need additional care or identify patients who are behind on their follow-ups and tests. You can also use your practice’s CRM to manage patient prescriptions and appointments.

Increasingly, healthcare CRMs are adding remote patient-monitoring capabilities. If you own a medical practice and install a CRM with remote patient-monitoring tools, you can log in to your CRM to see a patient’s vitals in real time. You’ll first need to prescribe the patient remote monitoring tools, such as blood pressure pumps and glucose tests that they can use at home, and then you can check their vitals at any time.

Additionally, a CRM can help you navigate the complexities of medical billing, Improve your practice’s workflows, and report on patient complaints and internal challenges. Some healthcare facilities also use CRMs for marketing campaigns to attract new patients.

When do you need HIPAA-compliant CRM software?

All CRM software used in healthcare must comply with HIPAA, because the law applies to all patient data with which healthcare providers interact. Title II of HIPAA specifies the guidelines that healthcare providers must follow regarding patient data and has one rule each for transactions, identifiers, enforcement, privacy, and security.

What makes a CRM HIPAA-compliant?

A CRM software platform is HIPAA-compliant if it ensures that all patient data remains confidential, backed up and securely stored. You must only transmit encrypted data and have complete control over the data in your CRM – that means no unauthorized intake, access, creation, storage or sharing of data. To be safe, you might also want to see if your CRM has been certified by an organization specializing in information security and privacy.

What to look for in a HIPAA-compliant CRM

These are the most important features to seek in a HIPAA-compliant CRM:

• Employee access. A HIPAA-compliant CRM should have safeguards to ensure that different levels of employees have role-appropriate levels of access to patient data. For example, receptionists should only have access to basic identifying information, but nurses and doctors will need to see patients’ vitals as well.
• Data security. To be HIPAA-compliant, your CRM should have additional data security features beyond employee access measures. It should categorize data into tiers of security and automatically block access to employees based on their job role and the data level. It should also timestamp all data changes with the CRM user’s identity to make alterations traceable.
• Ample cybersecurity knowledge. Although a CRM platform is a program rather than a person, anyone from the CRM company should be able to articulate the software’s cybersecurity strengths and weaknesses when they speak to you. Ask your sales rep to explain how the CRM handles endpoint security, patches, HTTPS and other areas of cybersecurity. Their answers will demonstrate how highly the company values HIPAA compliance.
• Success stories. A HIPAA-compliant CRM company should be willing and able to provide references and possibly case studies of healthcare providers who have had success with its CRM services. You can reach out to references to learn more about the CRM’s HIPAA compliance features, and you should compare the case study’s solutions to your needs.
• Ability to scale. In case your practice grows, it’s important to choose a HIPAA-compliant CRM that can work for healthcare organizations of all sizes. When you look through your CRM’s success stories, you should try to find proof of work with larger healthcare organizations. A track record of this work indicates that your CRM can stay with you as you grow and suggests that it will work for you while you’re still on the small side.
• Data backup. Data loss is among the most severe consequences of a cybersecurity breach. A HIPAA-compliant CRM will guard against this problem by regularly backing up your data, perhaps to more than one location.
• Security alerts. Some HIPAA-compliant CRMs will almost instantly alert you to data breaches so you can quickly act on them. Rapid response to a data breach is critical for all businesses, particularly healthcare organizations dealing in sensitive and potentially lifesaving information. 

Top CRM systems for HIPAA compliance

The following are some of the best-regarded HIPAA-compliant CRM software programs.

Keap

Keap is a HIPAA-compliant, user-friendly CRM software platform that’s well suited for new and small healthcare organizations. You can use Keap to store and organize your patients’ information in a system that your team can access as needed. It’s also useful for patient acquisition, and as of January 2021, Keap has added over 2,000 apps to its library of compatible integrations.

Freshworks

Popular CRM platform Freshworks has an additional suite for healthcare providers. The Freshworks Healthcare CRM is HIPAA-compliant by nature. You can use it at your practice to store schedules and patient data in one location rather than across several programs. Freshworks says that with this centralized data hub, your patient satisfaction and internal workflows (including billing) are likely to improve.

Salesforce

Salesforce has long been a leader in the CRM field, and the Salesforce Health Cloud offshoot is no exception. You can use it to personalize the care and messages your patients receive from your practice. It can also help establish one-on-one connections between your staff and your patients and make your data more actionable. Note that payers, not just providers, can use Salesforce Health Cloud, so it can streamline the payment process between you and your patients or their insurance providers.

NexHealth

NexHealth is a HIPAA-compliant CRM that facilitates online scheduling, telehealth appointments, waitlists and appointment reminders. It integrates with most major electronic health record (EHR) vendors and includes reporting features and patient payment portals. The NexHealth tiers have different features; some even have capabilities for marketing campaigns and automated follow-up appointment outreach.

PatientPop

PatientPop is a HIPAA-compliant CRM with both internal and external features. It enables automated appointment emails, flexible online booking, patient surveys, and a stronger online presence for your practice. It also fully integrates with most EHR, electronic medical record (EMR) and practice management platforms. As such, PatientPop is equally useful for enhancing the patient experience and finding brand-new patients as it is for streamlining your internal workflows.

Caspio

Caspio is a HIPAA-compliant CRM solution geared toward larger healthcare organizations. It allows for easy CRM customization without in-depth coding operations or modification. It’s a great choice if you want to grow your practice’s services beyond standard medical appointments. For example, if you want to expand into healthcare industry consulting or other non-patient-facing fields, Caspio facilitates this growth. That’s because its easy customization allows the creation of numerous interrelated online databases. 

Choose your healthcare CRM wisely

Before studying this article, you were likely aware that HIPAA compliance poses additional challenges when you’re choosing a CRM. Now that you know what those challenges are, you’re one step closer to thorough patient data security and privacy in your medical practice.

What is medical records retention?

Medical records retention is the act of keeping your patient charts and other medical information on file. When you retain your records, you develop a track record of your treatment plans and quality of care. Proper medical records retention is advisable for successful long-term patient treatment. It’s also helpful when dealing with medical malpractice suits, licensing board complaints and medical billing audits. 

How long must medical records be retained?

Several factors determine the number of years for which you must retain medical records. 

Federal law

These federal laws pertain to medical record retention:

• The Centers for Medicare & Medicaid Services (CMS) Hospital Conditions of Participation and Interpretive Guidelines. The federally funded Medicare and Medicaid programs are the largest payers in the United States. To keep your practice compliant with their regulations, you must retain all medical records for at least five years. Critical access hospitals must do so for six years.
• OSHA hazardous substance rules. Medical personnel may sometimes be exposed to harmful agents such as pathogens on the job. If these agents significantly impact the well-being of a nurse, practitioner or other person involved in patient care, OSHA regulations take effect. OSHA mandates that you keep exposure records for 30 years.
• HIPAA privacy regulations. Policies, procedures and disclosure accounting documents fall under the purview of the HIPAA Privacy Rule. According to these guidelines, you must retain these documents for six years.

State law

Most states have extensive regulations of their own regarding retaining or destroying medical records. Consult experts in your state about these laws and how they affect your medical records retention. Below are a few examples of state medical records retention guidance:

• California practitioners must retain certain medical records for at least 10 years.
• New York practitioners must keep all medical records on file for at least six years. Additionally, any obstetric and pediatric records must be kept until the child in question turns 19 years old.
• Texas practitioners must retain medical records for at least seven years. Additionally, pediatric records must be retained until the child reaches at least 21 years of age.

Case law

Case law is a subset of state law concerning medical malpractice suits. It determines how long after the state’s statutory period a patient may file suit if they discover that medical malpractice led to their current complaints. Case law exists because some injuries or conditions aren’t immediately obvious signs of medical malpractice, which means that medical malpractice suits can sometimes be exempt from statutory limits. Confer with experts in your state to learn more.

Best practices for keeping and maintaining medical records

To keep your medical records retention in line with the guidance above, follow these best practices:

1. Know which types of information to record.

A patient’s medical records should include the following information:

• Demographics
• Reason for visit
• Exams administered
• Tests ordered
• Exam and tests findings
• Diagnoses
• Treatment plans
• Prescriptions and medications

To learn more about these types of information, read Business News Daily’s guide to patient charts.

Retain any records that physicians and certified outside your practice send you for your own use with a patient, according to the same retention timeframes as your own records. Keep your practice’s medical billing documents regarding the patient too, so you can track which services were performed and paid for.

2. Record and store information the right way.

Several do’s and don’ts of medical recordkeeping can ensure that your patient charts are easily usable for any future purposes. 

Do:

• Keep your notes objective.
• Timestamp your notes.
• Indicate both informed consent and patient refusal or noncompliance.
• Record timestamped entries for all patient encounters, phone calls and electronic communications.

Don’t:

• Write illegibly. You can always use electronic medical records and speech-to-text tools to eliminate messy handwriting.
• Use abbreviations or ambiguous language.
• Use offensive words or try to make jokes.
• Make alterations or delete any old information without leaving a track record.
• Store medical records at locations other than a medical office or warehouse. Residential medical record storage, including on computers, is not advised.

3. Prioritize confidentiality except when necessary exemptions arise.

In almost all cases, you need a patient’s written consent to share their medical records with other parties. Given this privacy concern, medical records retention is as much about keeping records on file as it is about securing them from unauthorized access. HIPAA-compliant EMRs, such as those we’ve reviewed on our medical software best picks page, come with safeguards that make this protection of connected medical devices seamless. [Read related article: EMR vs. EHR]

In the U.S., limited exceptions exist to regulations regarding medical record sharing and confidentiality. Some portions of U.S. law can allow the sharing of medical records without the patient’s consent if the following conditions are met:

• When doing so is key to treating an emergency
• If they are pertinent to local, state or federal public health agency programs regarding substance abuse or HIV research

4. Make medical records accessible to patients.

Although the burden of retaining medical records falls on your practice, all records belong to the patients named in them. So, set up your medical records in ways that make patient access easy. Medical software such as EHR systems and medical practice management system (PMS) patient portals streamline this access. Note that you must comply with all patient requests to share their medical records with any parties whom they request.

5. Destroy medical records appropriately.

Eventually, all medical records will exist long enough that you’re no longer required to keep them. In this case, follow destruction best practices:

• Confirm that confidential information will remain private during the destruction process.
• Hire a record destruction agency rather than doing it yourself.
• Create a log of all destroyed records that lists the name of the patient and the date of destruction.

Medical record retention FAQs

Who owns electronic medical records?

Technically, patients own their electronic medical records. You remain responsible for storing them, but patients can demand access at any time. Patients can even demand that you hand over their records without retaining any copies.

What happens to medical records when a practice closes?

If your practice closes, you can’t just destroy your patient records and call it a day. After all, records belong to patients, not you. Notify your patients of your impending closure and inform them of their right to designate another practitioner as the holder of their records. Alternatively, you can release the patient’s records directly to them.

Can a doctor refuse to release medical records?

In almost all circumstances, doctors cannot refuse to release medical records when patients request them. Extremely limited exceptions may exist in certain states or localities, but it’s best to assume that when a patient demands their records, you should hand them over. 

However, you don’t have to release a patient’s medical records to a third party unless you receive direct authorization from the patient first. Getting the patient’s explicit permission for record release is best. This way, you avoid breaching the patient’s confidentiality and winding up with a lawsuit on your hands. After all, that’s one of your biggest reasons for following medical records retention guidelines in the first place.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that establishes privacy standards by which healthcare organizations are required to protect sensitive patient information. Since its signing in 1996, HIPAA has been updated periodically to evolve alongside technology and has adapted to include cybersecurity standards required of all “covered entities” and their business associates.

What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule is the section of the law that specifically relates to the confidential handling and transmission of patient healthcare data. Measures in the Privacy Rule include an enumeration of individuals’ rights under the law, such as how they can control and access their own healthcare information.

Moreover, the Privacy Rule prescribes how healthcare organizations and other covered entities and business associates must handle protected health information. This includes requirements that govern both process and technology; not only must protected health information be handled properly, but it must also be stored securely.

“It requires you to protect and maintain the security of PHI, which is a defined term that deals generally with health information that can be identified and tied to a specific individual,” Paul Starkman, an employment attorney for Clark Hill, told us. “It deals with how the information must be protected in terms of encryption, password protection and things like that. It also deals with transmission … and it has some other requirements too in terms of disposing [of] PHI once it is no longer needed.”

Starkman said this includes information from paper files, digital files, machines and pieces of equipment that become outdated or are no longer in service.

“Those need to be disposed of in accordance with HIPAA guidelines,” he said.

Which types of employers does HIPAA apply to?

The stringent requirements set forth in HIPAA don’t apply to all employers — just those that fall into a particular category.

The term “covered entities” refers to organizations that must comply with the rules set out under HIPAA. Covered entities include doctors’ offices, hospitals, insurance companies, insurance plans and clearinghouses. The U.S. Department of Health and Human Services maintains a complete list of covered entities on its website.

“HIPAA is primarily going to apply to covered entities,” said Jarryd Rutter, an HR coach at Paychex. “That is where HIPAA is most impactful: for those industries and obligations, not only to customers but their employees.”

Rutter noted that Paychex does not provide its clients legal advice and recommended that businesses consult with legal counsel if they are concerned about their HIPAA obligations.

HIPAA also applies to organizations that do business with covered entities and handle or process patients’ protected health information in some way. These organizations are known as “business associates” under the law and are also required to abide by HIPAA regulations.

“Sometimes we get pushback from a client we are helping because they are hesitant to send documents out of concern they are violating HIPAA when, in fact, they are not,” Rutter said. “A non-covered entity doesn’t have to be concerned with HIPAA; it’s really limited to if they offer health insurance plans and the handling of that health insurance info.”

Other employers are generally not covered by HIPAA and, therefore, are not required to abide by the strict privacy and security regulations included in the law. However, Rutter said, non-covered entities likely have some privacy and security obligations under other federal laws, such as the Americans with Disabilities Act (ADA) or the Family and Medical Leave Act (FMLA).

When does HIPAA apply to non-covered entities?

Although HIPAA doesn’t apply to most businesses, there is one unique circumstance under which employers should be aware of the law’s requirements. Employers that provide a self-funded health insurance plan are technically operating a covered entity: the health plan itself. This means the health insurance plan is subject to all of the requirements in HIPAA, while the primary business is not.

“Because that self-funded plan … is viewed as a covered entity, the health plan falls under HIPAA,” said Matt Fisher, partner at Mirick O’Connell and chair of the firm’s Health Law Group. “You end up having to wall off the information used for maintenance and operation of that plan. But, on the whole, HIPAA will really not apply to the general employer and employee relationship.”

Another common way employers come into contact with an employee’s PHI is through workers’ compensation claims, Fisher said. In these instances, clinical documentation from medical appointments might be required to support the workers’ compensation claim, and employers would need access to that information.

However, just because an employer can access this data does not necessarily mean HIPAA applies.

“Generally, the health information employers get through the employment relationship is not going to be covered by HIPAA,” Starkman said. “It may be covered by other state privacy laws.”

In the example of a workers’ compensation claim, HIPAA would govern the healthcare provider’s handling of protected health information and its release to the employer; the employee would be required to consent to this transmission of their healthcare data. Once that consent is given and the employer receives the information, HIPAA no longer applies. [Read related article: Guide to the Workers’ Compensation Claim Process]

What are examples of HIPAA violations?

HIPAA violations can be costly, so it is essential to avoid even unintentional violations. Civil penalties for HIPAA violations can exceed $50,000 per violation. Violations committed with malicious intent could result in criminal charges — in the most egregious cases, up to 10 years in prison and $250,000 in fines.

The first step in avoiding HIPAA violations is knowing some of the most common ones.

Unreported data breaches

Healthcare organizations are a major target for cybercriminals attempting to breach the networks and steal sensitive healthcare data. Covered entities must report data breaches to the individuals affected, the secretary of the Department of Health and Human Services and sometimes the media.

To avoid data breaches, ensure that you’re using highly rated antivirus software that is up-to-date and that all data is encrypted in storage and transmission. Update your software on all connected devices regularly to patch vulnerabilities hackers exploit. Decommission outdated devices and remove them from your network; dispose of them per HIPAA regulations.

Loss of devices

Any given hospital houses thousands of connected medical devices, all of which contain protected health information. The loss or theft of these devices could lead to the loss of sensitive data unless they are properly password-protected and encrypted in accordance with HIPAA. A failure to do so that results in a data breach is a HIPAA violation that could easily be avoided.

Unauthorized access

Employees who access data they do not need or are not authorized to access usually constitute a HIPAA violation. To avoid this problem, implement authorization systems that require employees to confirm their identities before accessing restricted information. Establish clear policies and procedures around authorizations and consequences for accessing information fraudulently.

Failure to encrypt data

Under HIPAA, all data must be encrypted. The law does not specify a precise standard, but the National Institute of Standards and Technology recommends Advanced Encryption Standard (AES) 128 at a minimum. Failure to encrypt devices, data in storage and data in transit likely constitutes a HIPAA violation. Avoid this by ensuring that all data in your network is encrypted to the highest possible standard.

HIPAA compliance checklist

If you are a covered entity or a business associate of a covered entity, HIPAA regulations apply to you. To ensure you remain compliant, follow this helpful HIPAA compliance checklist from HIPAA Journal:

1. Identify which audits apply to your organization.
2. Conduct those audits internally, then analyze the results and determine corrective measures.
3. Implement the corrective measures and document them. Review compliance annually.
4. Appoint a HIPAA compliance officer. Alternatively, appoint dedicated privacy and security officers.
5. Task the HIPAA compliance officer(s) with training all employees on HIPAA obligations.
6. Document HIPAA training and staff member completion of the training program.
7. Perform annual due diligence assessments on any business associates to ensure HIPAA compliance.
8. Establish processes for reporting breaches and notifying the Department of Health and Human Services Office for Civil Rights.

Following this checklist and establishing a clear set of policies and procedures regarding HIPAA compliance can put your organization in a better position to meet the strict privacy and security requirements included in the law.

Skye Schooley contributed to this article. Source interviews were conducted for a previous version of this article.