HIPAA and CiviCRM?

Friend-of-the-list Kimberly wrote in today with this question (shared with permission):

Hi Allen,

I just had a potential client ask me about HIPAA compliance. I've read some stuff on the stack exchange and the only thing I can see that might be a problem is that CiviCRM doesn't track when users open records.

I also know that a lot of people don't understand HIPAA so this person may not understand what she needs to be HIPAA compliant.

Can she use CiviCRM if she needs a HIPAA compliant database?

Kim

Here’s my answer:

Hi Kim,

> Can she use CiviCRM if she needs a HIPAA compliant database?

In short, yes she could. But there's a lot of work involved, and it's not a very well-worn path (i.e., I can't think of anyone who's said they're doing it or have done it, though I have seen some say they were going to try it).

The thing is, CiviCRM is a general-purpose CRM system serving the typical needs of non-profits and other community-driven organizations, whereas HIPAA compliance has — as you probably know — a set of strict requirements that a) aren't built right into CiviCRM, and b) are about more than the software itself.

I imagine most organizations, faced with the challenge of complying with a set of complex federal rules, would rather just shell out the money to an EMR system vendor that specializes in that kind of thing. That approach is expensive, but can feel very comforting.

In general:

- CiviCRM itself doesn't (and really can't) make any claims of "HIPAA compliance" as a simple yes-or-no question. CiviCRM's native data fields (name, address, etc.) aren't designed to track HIPAA-protected data (e-PHI), and it can't know which custom fields are intended to contain such data; therefore you'll need to take specific action to make sure such data is properly protected.

- I myself don't claim authoritative knowledge of HIPAA requirements, but hopefully you or the client have (or are establishing) a relationship with someone who can provide that expertise. This is important because, while a CiviCRM expert can help you ensure that CiviCRM is configured in a way that supports compliance, HIPAA compliance itself includes much more than that.

- That said, it is conceivable that one could configure CiviCRM in a way that helps to enforce HIPAA compliance in the client's unique staff workflows, based on their unique HIPAA compliance plan. This probably would call for some custom extension development to fill in requirements that CiviCRM can't meet out-of-the-box.

- As you mention, CiviCRM doesn't keep track of "who viewed which records." What's more, there are any number of ways to view constituent data in CiviCRM: searches, reports, direct viewing of individual constituent records, etc. So the tracking of "who has viewed what data" is not just a question of "who viewed which contstituent record", but "who viewed specific fields, activities, or other records, whether in search results, or reports, or some other way."

This of course will leave you with a few questions to explore:

1. What data to be tracked in CiviCRM would be covered by the HIPAA compliance requirements?

2. Has the client already formulated staff policies regarding HIPAA compliance in the management of that data, or are they still on their way to creating those policies?

3. Is the client already using other system(s) to track HIPAA-protected data? Will those systems be linked to CiviCRM in some automated way? If so, there's probably some custom work to be done to create that integration, and that of course will need to be designed with the appropriate security requirements in mind.

I've had similar questions from several different clients over the years. All of them have decided to use some external vendor-provided system to ensure HIPAA compliance of protected data, and then to separately maintain CiviCRM as a CRM tracking the "usual" stuff like mailings, memberships, activities, etc.

I won't says there's not a business case for doing this in CiviCRM, but so far, I haven't seen anyone who dug in on the numbers and decided they had such a business case.

To sum up:

Yes, they could use CiviCRM to track patient data that's protected under HIPAA, but there's probably a lot of work to be done in order to ensure that data is properly protected according to the organization's own HIPAA compliance plan. I'd recommend a careful cost/benefit analysis before diving in.

Hope this helps!

All the best,
Allen

Would you like some help with a question about CiviCRM, or CRM strategy in general? Send it my way, and I’ll give you my most thoughtful reply. (I won’t share it with the list without asking you first, and it’s always fine to say “no.”)

All the best,
A.