HIPAA - Health Insurance Portability and Accountability Act

On January 17, 2013, new HIPAA rules were released that create some concerns and challenges for healthcare providers and their choice of a technology service and support company. Business Associates now have to comply with HIPAA as if they were Covered Entities.One of the main reasons for these new regulations is that many data breaches have been caused by Business Associates, which until now have been out of reach of the regulatory authorities. In November, 2012, a Business Associate breached 68,000 patient records.

CHALLENGES

Effective January 17^th, 2013, all technical support and service providers to healthcare providers (even if they do not sell EMR systems) must implement a compliance program that includes HIPAA policies, procedures, end-user training, and proof of compliance. Service companies must create HIPAA-compliant workflows to ensure that their employees deal with patient data in a way that does not cause an unintentional data breach. They also need to document their work in great detail to be prepared for audits and data breach investigations if they occur.

Many other types of Business Associates must also comply. These include and others have been specifically identified. ( One type of business that is not considered a Business Associate is an Internet service provider that simply moves data between points, and does not store it – ie: Comcast Internet service)

Encryption is not a HIPAA requirement. However, if a device like a laptop is encrypted and lost, it does not have to be reported. In 2012 a large hospital was fined $ 1.5 million after a doctor’s laptop was stolen. A small hospice paid $ 50,000 for a stolen laptop. A state health department paid $ 1.7 million for a stolen hard drive. If these had been encrypted the losses would not have been reportable. If a portable laptop or even the backup hard drives in your office are not encrypted and are lost or stolen, your practice could be liable for these types of fines as well.

The Bottom Line:
Have your Copier Company, Electronic Medical Record (EMR) software provider, Data Centers where offsite backups are stored, Shredding Company, Records Storage Companies, Lawyers (Who represent health care providers) Accountants and Collections Agency provided you with an up-to-date Business Associate agreement spelling out their compliance program?

Are you absolutely positive that your data’s security and critical business technology is being handled properly and by trained professionals?

If you are an ACTSmart ProWatch or DataGuardian Client, we have already provided you with our Omnibus Business Associate Compliance Agreement. Can’t find it? Give us a call and we’ll send you another copy!