Compliance

    HIPAA Compliance: What Human Services Agencies Need to Know

    A comprehensive guide to maintaining HIPAA compliance while using modern software tools.

    Jennifer Torres, JDCompliance Director
    Sep 8, 2025
    10 min read

    Understanding HIPAA in Human Services Context

    The Health Insurance Portability and Accountability Act (HIPAA) isn't just for hospitals. Many human services agencies handle Protected Health Information (PHI) and must comply with HIPAA requirements. Understanding these obligations is essential for protecting clients and your organization.

    Who Must Comply?

    Covered Entities

    You're a covered entity if you:

    - Provide health care services and bill electronically

  1. Operate as a health plan
  2. Act as a health care clearinghouse

    Business Associates

    Even if you're not a covered entity, you may be a "business associate" if you:

    - Handle PHI on behalf of covered entities

  3. Provide services involving PHI access
  4. Create, receive, maintain, or transmit PHI

    Many human services agencies fall into one of these categories, particularly those providing:

    - Mental health services

  5. Substance abuse treatment
  6. Developmental disability services
  7. Health-related case management

    The Three HIPAA Rules

    1. Privacy Rule

    The Privacy Rule governs how PHI can be used and disclosed:

    Key Requirements:

  8. Minimum necessary standard: Only access/share what's needed
  9. Client authorization required for most disclosures
  10. Individuals have rights to access and amend their records
  11. Privacy notices must be provided

    Common Exceptions:

  12. Treatment, payment, and operations
  13. Required by law
  14. Public health activities
  15. Abuse/neglect reporting

    2. Security Rule

    The Security Rule mandates safeguards for electronic PHI (ePHI):

    Administrative Safeguards:

  16. Risk assessments
  17. Workforce training
  18. Access management policies
  19. Incident response procedures

    Physical Safeguards:

  20. Facility access controls
  21. Workstation security
  22. Device and media controls

    Technical Safeguards:

  23. Access controls (unique user IDs, automatic logoff)
  24. Audit controls (activity logging)
  25. Integrity controls (data hasn't been altered)
  26. Transmission security (encryption)

    3. Breach Notification Rule

    When PHI is compromised, you must:

    - Notify affected individuals within 60 days

  27. Notify HHS (timing depends on breach size)
  28. Notify media for breaches affecting 500+ in a state
  29. Document all breaches regardless of size

    Software Selection Considerations

    When choosing technology platforms, verify:

    Business Associate Agreements (BAAs)

    - Any vendor handling PHI must sign a BAA

  30. The BAA must address all required elements
  31. Keep BAAs organized and accessible

    Security Features

    Look for:

    - Role-based access controls

  32. Encryption at rest and in transit
  33. Audit logging
  34. Automatic session timeouts
  35. Multi-factor authentication options

    Data Location and Handling

    Understand:

    - Where data is stored (cloud location matters)

  36. How backups are handled
  37. Data retention and destruction policies
  38. Subcontractor relationships

    Common Compliance Mistakes

    1. Assuming you're exempt: Many agencies underestimate their HIPAA obligations

  39. Inadequate risk assessments: Must be thorough and regular
  40. Training gaps: All staff need appropriate training
  41. Missing BAAs: Every vendor with PHI access needs one
  42. Weak access controls: Too many people with too much access
  43. Poor documentation: Policies exist but aren't followed or documented

    Building a Compliance Program

    Start With Assessment

    - Identify all PHI in your organization

  44. Map data flows (where it goes, who accesses it)
  45. Conduct thorough risk assessment
  46. Document findings and create remediation plan

    Implement Policies and Procedures

    - Develop comprehensive policies

  47. Create practical procedures staff can follow
  48. Review and update regularly

    Train Your Workforce

    - Initial training for all new staff

  49. Regular refresher training
  50. Role-specific training where needed
  51. Document all training

    Monitor and Improve

    - Regular audits of compliance

  52. Incident tracking and response
  53. Continuous improvement based on findings

    The Bottom Line

    HIPAA compliance isn't optional, and the penalties for violations can be severe—both financially and reputationally. But more importantly, these requirements exist to protect the vulnerable individuals your agency serves.

    Investing in compliance is investing in trust. When clients know their sensitive information is protected, they're more likely to engage fully in services—leading to better outcomes for everyone.

  54. Related Articles