Quesition about Nurse Office and HIPAA

Joe Scanlon
Joe Scanlon
First Anniversary June 2023 Monthly Challenge
in Blackbaud K–12 Education Solutions™ General Discussions

My school would like to convert from Magnus to Nurse Office but our health center team has concerns over the lack of HIPPA compliance. Do other schools share this same concern even with the built in security into BB and using SSO which adds even more secuirty to the login accounts. The health team is having a hard time getting past the literature BB provides stating "Our software can't be "certified" as "HIPAA complaint," but it does provide to tools to help the school nurse manage HIPAA compliance." This is stopping them from moving forward thinking the software isnt' in compliance with HIPPA. Any feeback would be much appreciated.

Comments

  • Bryna Gleich
    Bryna Gleich Blackbaud Employee
    Tenth Anniversary Kudos 3 Name Dropper Participant

    @Joe Scanlon Thanks for a great question. I originally wrote that sentence. I'll update that help topic to try to make it clearer though.

    At the time, the understanding was that there is no way to “certify” software, any software, as “HIPAA compliant." To the best of my knowledge that's still true. HIPAA compliance isn't a something you get certificate for as software. No one can claim their software is “certified HIPAA complaint.” We can, however, offer the tools that enable the user to manage their compliance. But ultimately it is up the user (usually a school nurse) to follow the safeguards and processes required by HIPAA.

    When the Medical functionally was new, many schools wanted to know if we were “certified” but we can't be certified because a legal certification simply doesn't exist anywhere for anyone. The functions were created and are maintained with compliance as top priority, but there isn't a “certificate” to go with that.

    Intuitively, it seems like there ought to be a certification for compliance, but it's just not thing, legally. We wanted to make sure we weren't promising something that didn't exist, as we were being asked for it. That's also why we recommend schools review HIPAA and FERPA requirements with their own legal advisors too.

    Basically, we can provide the tools, but legally, compliance is also a matter of how those tools are used and what else the user does or doesn't do with the patient data.

    So, Magnus probably isn't “certified” either. Technically speaking. They have tools and practices that help you ensure compliance. They also evaluate their practices and functions for compliance. But there is no official “certificate” for it. For example, if you look at HIPAA on https://magnushealth.com/privacy-security/ it doesn't mention a certificate either. There is nothing “wrong” with the lack of a “certificate.” It is “normal” to lack certification for this, because there is no official certification.

    Additionally, the U.S. Department of Health and Human Services (HHS) does not officially endorse any specific certification process.

    Some third party companies offer training and “certification” programs for staff/people, but those “certifications” aren't really a legal benchmark of quality. They simply indicate that the person completed the third party training and has promised to dedicate themselves to ongoing compliance in their future actions.

    Compliance isn't a certification. It's also the ongoing actions you take.

    Here's how an “AI overview” from Google search results explains it:

    There's no official "HIPAA-certified" software. HIPAA compliance is achieved by implementing safeguards and processes that meet the requirements of the HIPAA regulations, not by obtaining a specific certification. While software vendors may claim their solutions are HIPAA-compliant, the responsibility of demonstrating compliance ultimately lies with the covered entity using the software.

    Key points about HIPAA compliance and software:

    No Official Certification:

    There's no official HIPAA certification program for software.

    Implementation is Key:

    HIPAA compliance is achieved by implementing appropriate safeguards, not by obtaining a certification.

    Vendor Claims:

    Software vendors may claim compliance, but covered entities are responsible for verifying and demonstrating compliance.

    Assessing and Mitigating Gaps:

    Software vendors and covered entities can assess and mitigate gaps in compliance to ensure HIPAA-required standards are met.

    Importance of Security and Privacy:

    HIPAA compliance requires implementing security and privacy safeguards, including access controls, encryption, and data backup and recovery.

    Training and Documentation:

    Covered entities must also train their workforce on HIPAA compliance and maintain proper documentation.

    Examples of software that can help with HIPAA compliance:

    • Security Risk Assessment Tools: These tools help identify and assess potential security risks and vulnerabilities.
    • Data Encryption Software: Encryption protects sensitive data both in transit and at rest.
    • Data Backup and Recovery Solutions: These solutions ensure data is backed up and can be recovered in case of disaster.
    • Access Control and Authentication Software: This software helps control access to PHI and verify user identities.
    • HIPAA Compliance Management Software: Some software providers offer tools to help manage compliance processes, track activities, and manage documentation.

    In summary: While there's no "HIPAA certification" for software, covered entities must implement appropriate safeguards and processes to demonstrate HIPAA compliance. Software can be a valuable tool in achieving this, but the ultimate responsibility rests with the organization using the software.


  • Michelle Newell
    Michelle Newell
    Seventh Anniversary Kudos 1 Name Dropper Participant

    @Joe Scanlon To me, the biggest concern is that we cannot notify a parent of a clinic visit and the parent can't log in to view a note. At least with Magnus, the parent receives and email that says they came and to view the note, log in. It appears that BB will not consider this since it's been requested since 2016. The only workarounds appear to be to call/text a parent for EVERY visit or to copy and paste the body of the note into an email, which isn't advisable.

    And the other big issue is that every medical condition viewable by teachers generates a “medical alert” - that should be a checkbox option because every student will have a “medical alert” whether it is for seasonal allergies or for a life threatening food allergy, not helping teachers to see at a glance the true medical alerts they should be aware of.

  • Lauren Marcus Eisenberg
    Lauren Marcus Eisenberg
    Tenth Anniversary Kudos 5 Name Dropper Participant

    @David Gillespie Yes - the school's legal counsel confirmed this for us.

Categories