HIPAA Compliance in Nonprofit Case Management: A Closer Look at Exponent Case Management’s Approach

Posted in: Blog
By: Marthe Rana

Nonprofits that provide case management services handle sensitive information about their clients, such as medical history, behavioral health treatment, and other personal details. To protect this information and maintain trust with their clients, it is critical that nonprofits ensure they are HIPAA compliant. In this blog post, we’ll explore what it means to have HIPAA-compliant software and how Exponent Case Management (ECM) ensures the security and confidentiality of client data.

HIPAA compliance for nonprofits and human services agencies

HIPAA, or the Health Insurance Portability and Accountability Act, is a US law that was enacted to protect the privacy and security of patients’ healthcare information. The regulations under HIPAA apply to healthcare-related agencies that can include human services organizations providing case management services. Any organization that handles sensitive patient data is required to comply with HIPAA regulations in order to protect their clients’ privacy and maintain their trust.

When it comes to software used by nonprofits or human services agencies, HIPAA regulations require that all electronic protected health information (ePHI) be secured and that access to it is limited to only those who are authorized. This includes software applications used to manage case information and client data like Exponent Case Management. Nonprofits must ensure that such software is secure and properly configured to comply with HIPAA regulations.

HIPAA also requires that all ePHI is encrypted when it is transmitted over a network or stored on a device, to ensure that it cannot be accessed by unauthorized individuals. In addition, organizations must implement procedures to monitor and control access to ePHI, including password policies, user authentication, and automatic logoff features.

Nonprofits must be aware of their responsibilities under HIPAA to report any security breaches or incidents that involve the unauthorized access or disclosure of ePHI. Organizations that fail to comply with HIPAA regulations can face significant financial and legal penalties, as well as reputational damage. By understanding the regulations and ensuring that their software is HIPAA compliant, nonprofits can protect their clients’ privacy and maintain their compliance with HIPAA regulations. So read on, oh curious one.

HIPAA-compliant software: a fallacy 

HIPAA-compliant software is designed to incorporate all the necessary guidelines for securely handling patients’ Protected Health Information (PHI). However, it is important to note that there is no software that can guarantee HIPAA compliance on its own. What is usually meant by “HIPAA-compliant software” is software that has been adjusted or configured to ensure that the organization using it is HIPAA compliant. For example, a HIPAA-compliant chat solution would enable healthcare-related businesses to securely message and collaborate with medical and non-medical personnel while ensuring that sensitive patient data is not exposed. It’s crucial to understand that while software can assist with HIPAA compliance, it cannot guarantee it. Organizations should take steps such as following a HIPAA-compliance checklist, modifying software as necessary, and training staff on HIPAA guidelines to minimize the risk of unintentional human error that can lead to HIPAA breaches.

How technology vendors help with HIPAA compliance

Think of HIPAA compliance like building a house. You want to make sure that your house is strong and secure, and that nobody can get in without your permission. Just like you might hire a contractor to build your house and make sure it meets safety standards, human services organizations can turn to technology vendors or consultants to help them ensure that their data is secure and in compliance with HIPAA regulations.

A consulting partner like Exponent Partners is like a contractor who specializes in building houses that meet safety standards. They use the Salesforce platform that is already designed to meet the high standards of HIPAA compliance, like using strong locks on doors and windows. And just like a contractor can customize your house to your specific needs, Exponent Case Management allows you to customize the solution to meet your access requirements for sensitive data.

But just like a contractor can’t create safety regulations for their clients, technology vendors can’t create HIPAA compliant policies and procedures for their human services clients. However, they can work with them to implement and configure their solutions in a HIPAA compliant manner. This means they can make sure that the technical safeguards are in place, like making sure that all doors and windows have locks that meet safety standards. 

Some of these technical safeguards include:

  • Access Controls – These controls ensure ePHI can only be accessed by authorized users who have been granted access rights. Mechanisms should be implemented that identify and track user activity, and automatically log the user out of the system after a period of inactivity.
  • Person or Entity Authentication – This safeguard ensures that a person who wants access to ePHI is who they say they are. This is usually achieved by passwords or PINs being allocated by an appointed administrator, who can remove permissions to data from either a user or a device. It may also be achieved with other authentication methods such as Multi Factor Authentication. 
  • Audit Controls – These are the overall controls put in place to monitor, record, and examine all ePHI activity. Audit Controls should be configured in such a way that they can be used to conduct required risk assessments, adjust access controls and update user policies as necessary.
  • Integrity – These controls ensure that ePHI is not destroyed or altered and has adequate disaster recovery planning. 
  • Transmission Security – The security of ePHI during transmission should be established using data encryption. ePHI should be rendered “unreadable, undecipherable or unusable” so any “acquired” healthcare or payment information is of no use to an unauthorized third party.

In summary, the Salesforce platform provides data management tools for ECM data, including management and controls for user accounts, authorization, and access controls. They also store all client data in Salesforce-managed data centers that are governed by the Human Services Organizations’ (Organization) Salesforce Agreement and are SAS 70 Type II certified. Lastly, by default, ECM does not provide unauthorized access to ECM features and components, and it does not have any features or functionality that transmits customer data to an external service without explicit authorization from that customer.

Additional safeguards: data protection and security review 

At Exponent Partners, we take the confidentiality and protection of Organization PHI very seriously. Our staff only has access to Organization PHI when authorized by the organization through a Salesforce user account. We follow a strict Data Protection Policy to maintain confidentiality when handling data for migration purposes.

We also have specific sections in our Exponent Partners Professional Services Agreement that address confidentiality and proprietary information. These sections ensure that we protect Organization assets and maintain confidentiality throughout our work.

Lastly, our latest version of Exponent Case Management (ECM) is a managed package on the Salesforce AppExchange, which has passed the rigorous Salesforce security review process. We also provide documentation that outlines how we protect organizational assets and maintain HIPAA compliance. This ensures that our customers have the necessary resources and information to maintain HIPAA compliance when using our solution.

The importance of staff training and education on HIPAA regulations

As a best practice, nonprofit organizations must prioritize HIPAA training for all staff members who handle sensitive client information. Staff members should understand the importance of HIPAA compliance and how it impacts their daily work. Training should include information on HIPAA regulations, security protocols, and best practices for handling and protecting sensitive client information.

Often, breaches occur because of unintentional human error. That’s why ongoing education and training are essential, as HIPAA regulations can often change. Staff members should stay up to date on any updates or changes to HIPAA regulations and ensure that their processes remain compliant.

Tips for selecting and implementing “HIPAA-compliant software”

When selecting a software solution, organizations should look for features that ensure data encryption, secure user access controls, and regular backups. Additionally, software providers should be willing to sign a Business Associate Agreement (BAA) that outlines their responsibilities in ensuring HIPAA compliance. Exponent Case Management was recently independently reviewed and compared to 26 other case management systems. The result? We were recommended 3x for some of the most important priorities for nonprofits, including HIPAA compliance. 

Resources and tools available to help nonprofits ensure HIPAA compliance

Several resources and tools are available to help nonprofits ensure HIPAA compliance. For example, the Department of Health and Human Services (HHS) provides online resources and training materials to help organizations understand HIPAA regulations and best practices. Here’s a couple of bonus resources for your perusal.

  1. An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
  2. Trust.Salesforce.com Security Overview 
  3. HIPAA Primer for Nonprofit Social Services Agencies. 

Nonprofits can also seek guidance from HIPAA compliance consultants, who can provide tailored recommendations and support to ensure that their case management processes remain HIPAA compliant.

Nonprofits that provide case management services play an important role in supporting their clients’ well-being. By using software like Exponent Case Management, these organizations can ensure that they are protecting client data and building trust with their clients. By following best practices for HIPAA compliance, nonprofits can also reduce their risk of legal penalties and demonstrate their commitment to maintaining the highest standards of data security and confidentiality. Want to dive deeper into all the ways we can help your human services agency with HIPAA compliance? Contact us today!