Boardeffect Hipaa Compliance


Healthcare Providers face several challenges when selecting and using the services of an outside / third-party vendor that could potentially be in the position of having access to individuals’ ePHI (electronic Protected Health Information).  As of December 2015, BoardEffect achieved HIPAA compliance, benefiting organizations that are required to safeguard this information under these guidelines.

HIPAA stands for Health Insurance Portability and Accountability Act; and it is legislation that – among other things – aims to reduce healthcare fraud and abuse.  HIPAA also defines the standard that Business Associates (in this case, BoardEffect) and Covered Entities (healthcare providers) must follow when dealing with ePHI.  It does this through a series of safeguards and policies.

What’s involved in HIPAA compliance?

HIPAA compliance is quite comprehensive; and these regulations extend far beyond mere technical controls. Compliance includes administrative and physical controls in vendors’ office / working environments, as well as policies around proper disclosure and risk analysis. This includes requirements from paper shredding requirements (cross-cut shredding!) to data encryption to what happens in the unlikely event that a data breach occurs.

While the essence of HIPAA deals with ePHI (which is fundamentally information related to healthcare), compliance demonstrates an organizational maturity of the service provider that will appeal to both healthcare and non-healthcare entities.

Why did BoardEffect take this on?

With over 1,400 clients serving 2,500+ boards, BoardEffect has built a broad client base with strong representation among healthcare organizations.

BoardEffect’s vision is to allow truly easy management of board information, while also enabling board directors to fulfill their responsibilities of elevating organizational performance. With over 1,400 clients serving 2,500+ boards, BoardEffect has built a broad client base with strong representation among healthcare organizations.  These members of the BE healthcare community range from small local hospitals with simple board structures to national hospital networks with several boards to health benefits organizations. These organizations serve real people and handle the information that is most sensitive and personal to them. With all of this in mind, we have invested in becoming HIPAA compliant for them…and for any organization where similar safeguards are critically important.

Why would a board portal need to be HIPAA compliant?

Having worked with thousands of boards, we have increasingly seen use-cases where ePHI has a very legitimate reason to be posted in a board portal. This can be an anecdotal mention in a board book, a review of a medical claim, or a strategic discussion about employee benefits. These and other examples made it very apparent to us that HIPAA compliance as a board portal was a valid need, representing a requirement of progressive board portal vendors.

The SEC (Securities and Exchange Commission) has stated that boards of organizations responsible for safeguarding information will be held accountable for lax security policies and procedures.  In terms of HIPAA, the penalties for willful non-compliance are extremely stiff; so it is a major commitment for an organization to assert compliance.   In turn, a “Covered Entity” (the term used to describe health providers, health plans, clearinghouses, and providers that transmit ePHI) is responsible for ensuring that any vendors (“Business Associates” or “BA’s”) that touch PHI are also compliant. As such, BoardEffect will engage in a HIPAA compliant “Business Associate Agreement” (“BAA”) that outlines the framework and responsibilities around ePHI relating to the BoardEffect platform.

My organization is not in healthcare; why should I care?

BoardEffect has always been delivered in an extraordinarily secure and stable environment, which will continue to be the case for every one of our clients.  But healthcare organizations have specific regulations, driving specific needs.  HIPAA addresses those regulations, and BoardEffect complies with HIPAA.  Further, BoardEffect will attest to its compliance by signing Business Associates Agreements (BAA’s) which very few board portal providers will do.

While every organization needs a highly secure and stable environment, every organization does not necessarily need this level of controls, process, and documentation.  But every organization within the BoardEffect client base benefits greatly from our having invested the time and resources to establish the maturity to proudly assert HIPAA compliance. Policies and procedures, strict rules for handling data, and even physical access to buildings and offices apply company-wide and benefit every one of our customers – regardless of industry – that entrust their information to BoardEffect.

For more information about BoardEffect’s HIPAA compliant product, please contact

Mike Scappa

Mike is the CTO at BoardEffect.