Staying HIPAA Compliant with QMS Software

Staying HIPAA Compliant with QMS Software

Author Selim Ozyel

For many companies in FDA regulated industries, including pharmaceuticals, medical devices, labs and life sciences, compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a critical requirement.

Financial penalties can be stiff, and enforcement has increased significantly in recent years. The maximum penalty is $50,000 per incident, and if multiple patient records are compromised, the total can quickly add up to a large dollar figure. In 2019, the average total financial penalty for HIPAA violations amounted to over $1.2 million.

HIPAA compliance requires that companies follow strict guidelines to safeguard patients’ Protected Health Information (PHI), not only inside the four walls of their company, but whenever that information is shared with outside service providers who receive, transmit, or maintain PHI on their behalf.

Such service providers are referred to under HIPAA regulations as “business associates”, and it is incumbent upon any organization responsible for PHI to make sure that business associates are taking appropriate measures to safeguard that information.

Companies that are directly subject to HIPAA regulations are referred to in the law as “covered entities”, and they should make sure they have written “business associate” agreements in place with each of their service providers, clearly outlining responsibilities and ensuring that those third parties have implemented measures to ensure compliance. If such legal measures are not in place, the covered entity can be held directly responsible for HIPAA violations that result from a service provider’s negligence.

As a leading provider of Quality Management Software for regulated industries, Intellect understands the vital importance of HIPAA compliance, and we take stringent measures to ensure that the PHI entrusted to us is protected with the latest and best technology available. We routinely provide signed business associate agreements to our clients in regulated industries, ensuring that the necessary measures are in place to protect those clients and the protected health information for which they are responsible.

Data in Transit, At Rest, and In Use

Whenever PHI is transmitted through computer networks (including the Internet), stored in a databasein the cloud, or made available to a user of our software, we are obligated to protect it against unauthorized access. These three scenarios are referred to as “data in transit”, “data at rest”, and “data in use”, respectively. Intellect employs the latest technologies to safeguard information each of these three situations.

  • For data in transit, we use SSL encryption, which encapsulates data in a secure wrapper, preventing disclosure to unauthorized parties.
  • For data at rest, we use secure AES 256 bit file encryption.
  • For data in use, we apply rigid standards for user authentication, combined with role-based authorizations that limit the visibility of data within our software.

Physical Security

While cyber-security measures are critically important, adequate protection of PHI must extend to the physical world as well. That includes safeguarding the data center facilities that house our clients’ PHI. Preventing unauthorized access or loss of that data requires high standards for access control, surveillance, and fault tolerance.

Our web-based QMS software is hosted with Amazon Web Services in facilities that share our obsession with high standards for security. For customers that require HIPAA compliance, Intellect hosts its systems within Tier III data centers with SSAE16 SOC 2 Certifications. Our data centers use fingerprint scanning, video surveillance, and other high-security access control systems and processes to safeguard against unauthorized access.


Although many people think of HIPAA as something that applies to healthcare providers, in fact it can be highly relevant to manufacturers in pharma, life sciences, labs, and medical devices; particularly if they are doing complaint handling and investigations (CAPA) or if they are involved in clinical trials.

For medical device manufacturers that produce implantable or life-sustaining devices, quality management software plays an especially critical role. Issues or complaints originating from end users of those devices may include PHI that must be protected.

A Reputation for Excellence

Intellect is trusted by some of the biggest names in the healthcare and life sciences industries, including Bruker, Paul Hartmann, and NeilMed Pharmaceuticals. Top organizations have chosen Intellect QMS because our software delivers proven benefits for customers across a range of industries.

To learn more about how Intellect can help your organization achieve higher quality standards, contact us.


Written by Selim Ozyel