June 28, 2013
HIPAA and CRM: Is your CRM system HIPAA Capable?
We have a lot of customers in the Insurance Industry, specifically dealing with Health Plans. As we help them implement and manage their CRM envionments, we have become very well acquainted with HIPAA (Health Insurance Portability and Accountability Act) and the issues it can surfaces to anyone trying to manage a system where HIPAA rules apply.
This is a deep and far reaching piece of legislation that includes data storage and architectural issues and Microsoft has information on some of the more technical pieces including this white paper http://www.microsoft.com/en-us/download/confirmation.aspx?id=29565 . This blog however is going to take a high level view of HIPAA in regards to PHI (Protected Health Information) and how to know if your CRM system is HIPAA capable AND how easy is it to do.
First things first; calling any stand-alone CRM system HIPAA compliant is incorrect. Why? Because A CRM system is built with all types of customers in mind, not just customer in the health arena, so the system itself isn't as much HIPAA compliant, as it can be HIPAA capable. Microsoft Dynamics CRM Online supports HIPPA Complinace. The solution and modifications that you our your partner can make to the CRM can be within the guidelines of compliance where PHI is concerned. Let’s review some of the necessary features a CRM system must have in order to stay in compliance with the use and disclosure of PHI
1. User Security Roles: In the Health Care arena as with any other arena there will be multiple users all of whom will need to have different security roles based on what they are using CRM for. If a user doesn’t need to see medical records within the system, then their security role should dictate that.
- Out of the Box Dynamics CRM provides a robust security roles module that can be record or field specific. This enables the security administrator to have a friendly UI to manage who can see and do what.
2. Record Level Security (Forms): So we have set up who can access what records, but you also need to make sure your CRM can manage what metadata each user can see on the specific record.
- Dynamics CRM handles this is two ways and one is have different forms for each record. The forms can have security roles assigned to them. So maybe the Billing clerk and the Physician see the same record, but the form looks different and is limited for the billing clerk.
3. Data Field Level Security: Field level security allows for an even more robust and comprehensive security model and also allows you to use your CRM data safely.
- Dynamics CRM allows you to put security just on specific fields, so the user can still access the records and mine the data, they just can’t access any information or combination of information that is considered PHI.
4. Request a HIPPA-Business Associate Agreement. Microsoft Dynamics CRM Online will sign requirements for the Health Insurance Portability and Accountability Act-Business Associate Agreement (HIPAA-BAA) with customers upon request. You can request a signed copy here. Or you can contact Customer Effective and we will help guide you through making your CRM solution HIPPA compliant.
In order to be successful with any regulatory compliance you need to have a game plan for implementing a CRM solution that will operate within the guidelines. Dynamics CRM is HIPAA capable and it provides several Out of the Box features that can help make your deployment HIPAA compliant.