By Chris Byers, CEO
If you work in the healthcare industry, chances are, you’ve heard of the Health Insurance Portability and Accountability Act (HIPAA) and the important role it plays in the work of hospitals and insurance companies. However, are you aware of the implications it has on your place of business as well? Whether you realize it or not, this legislation is likely pertinent to your facility, and understanding its terms could benefit your practice in the long run.
Law firms, consultants and medical device manufacturers are just some of the overlooked parts of the healthcare industry that must abide and remain compliant with HIPAA’s Privacy and Security standards in order to avoid stiff penalties. To best protect your company from HIPAA violations and, in turn, safeguard the protected health information (PHI) of your customers and partners, you should get to know HIPAA.
History of HIPAA
Before HIPAA was signed into law in 1996, there was no generally accepted set of standards regarding health information despite the rise of technology in the industry. The existing laws and regulations were inadequate to address the types of information and transmission methods that had begun to impact healthcare.
HIPAA’s introduction provided regulations to protect the privacy and security of certain health information by the U.S. Department of Health and Human Services (HHS). Ultimately, HIPAA’s legislation led to the Privacy Rule and Security Rule, which outlines how organizations must store Protected Health Information (PHI).
Identifying What HIPAA Means for You
Today, HIPAA applies to two classes of organizations, according to HHS:
- Covered Entities: healthcare providers that transmit information in an electronic form; health plans, such as insurance companies, HMOs and government programs that pay for care; and healthcare clearinghouses, such as a coding service or revenue cycle management partner
- Business Associates: partners utilized by Covered Entities, such as claims processors, CPA and law firms, quality assurance consultants and pharmacy benefits managers
Many organizations that are unfamiliar with how HIPAA regulations apply to them fall into the Business Associates category. If this fits your business, it’s necessary to employ the following to remain in compliance: a legal agreement with the Covered Entity with whom you are working and the tools necessary to begin storing and protecting PHI.
To ensure the Business Associate understands and will abide by the Privacy and Security Rules set forth by HHS, lay out a Business Associate Agreement (BAA). This will clarify many details, including how PHI may be used, disclosed and protected. For sample language to create a legally enforceable BAA, an organization can turn to the Office for Civil Rights (OCR), which is the enforcing entity within HHS.
With ever-changing rules and regulations, it’s suggested that organizations graduate from counting on paper contracts in filing cabinets or elementary cloud storage solutions, and turn to a document and contract management tool instead. This will ensure contracts are developed, eSigned and stored in an organized manner. It also prevents organizations from having to dig up physical files for the BAA, which ultimately leaves room for error and misplacement of personal information.
Lastly, check your organization’s workflow. It should be HIPAA compliant and accompanied by properly secured data capture tools. For instance, each piece of the work chain should be transmitting data and feedback to your organization in a compliant manner, extending all the way to email systems and beyond.
Evaluate whether both parties are using an end-to-end HIPAA compliant system. If not, there is likely a weak link in the compliance chain. Covered Entities and Business Associates should both employ a method of data capture with the required storage encryption and access controls required by HIPAA.
A valid motivation to ensuring HIPAA compliance is to avoid stiff penalties and violations. If it seems as though your organization is inherently safe from a violation, it’s time to re-evaluate. In March 2019, more than a quarter-million patients’ personal and medical information were exposed by one manufacturer alone—a disaster that could have been easily avoided. It occurred simply because the manufacturer’s email archiving partner merged two servers, which exposed patients’ PHI to the potential of unauthorized access.
HIPAA compliance should not be viewed as simply an option your organization can opt out of. It is necessary to follow the regulations set by HIPAA. Violations for noncompliance have resulted in employment termination, fines into the millions of dollars and even prison sentences. Know the importance of compliance and protect your organization by communicating regularly with your development, quality assurance and regulatory affairs teams. Discover whether or not your organization could be considered a Business Associate and begin instilling practices to implement the proper workflows for handling PHI.
Chris Byers is CEO of Formstack.