HIT Think

Why HIPAA requirements extend far beyond providers’ walls

If you run a small healthcare organization, you probably aren’t itching to take a deep dive into the nuanced complexities of your legal responsibilities under HIPAA or the details of how you must safeguard patients’ personal health information from a data and technology perspective.

Given the choice, you’d probably prefer to focus attention solely on your business—that’s why you hire IT solution providers to fulfill technology needs and to understand HIPAA on your behalf.

However, HIPAA happens to include something of an ironic Catch-22 in that the regulation does demand that you to be aware of at least one aspect of the law and be responsible for meeting it on your own.

Man-and-server.jpg
A technician uses a computer keyboard as he stands in the server hall of the data storage center at the headquarters of Rostelecom PJSC, the state telecommunications operator, in Moscow, Russia, on Tuesday, Dec. 29, 2015. Netflix Inc. signed agreement with Rostelecom to use its TV service starting in 2016. Photographer: Andrey Rudakov/Bloomberg

The issue is this: the law requires that a HIPAA Covered Entity (any provider, health plan or clearinghouse) must make sure that any “business associate” (including IT vendors) that has the ability to access PHI must itself be fully HIPAA compliant. The legal burden to ensure that your IT vendor is a responsible caretaker of sensitive data is on you, even though you hire the IT company to both handle that responsibility and provide the expertise to know about burdens such as this in the first place.

From a regulatory perspective, this requirement makes complete sense. It would be a huge and dangerous loophole if passing PHI to a third party placed it outside of HIPAA’s safeguards, and who better than the company enlisting any third parties to continue to be responsible for its own PHI?

It’s only as a practical matter for small healthcare organizations relying on vendors for IT and related compliance expertise that the requirement becomes somewhat absurd. Unfortunately, with HIPAA violations carrying penalties averaging in the five-figures—not to mention the often-costlier reputational damage done when an organization is publicly cited for unsafe data handling practices—most small healthcare providers can’t afford to be out of compliance.

To navigate this Catch-22, here’s what you need to do. You must be aware of HIPAA’s business associate standards, and you must carefully vet your managed service providers (MSPs) to ensure that they fully understand (and comply with) this aspect of HIPAA.

You also need to understand one other HIPAA requirement—a covered entity’s business associates must sign and operate under a business associate agreement (BAA), which is legal document that specifies the conditions under which a business associate is allowed to interact with PHI. The BAA can include details such as the exact tools—data encryption, device access controls and more—that an IT vendor delivers to achieve effective and HIPAA-compliant data protections. A BAA must be executed with vendors before any PHI is shared.

Therefore, when it comes to the responsibility of vetting IT companies, one valuable technique is to enlist those that proactively delineate your responsibilities under HIPAA, and offer a robust BAA as part of their services to you.

In reviewing and vetting existing IT suppliers, it’s essential to make sure not only that any MSP your organization works with is HIPAA compliant, but also that they have a thorough knowledge of both their responsibilities as a business associate and their requirements under HIPAA’s BAA criteria. Any current MSP should have effective procedures, processes, and services in place to ensure that you, as their covered-entity client, are compliant as well.

It’s common for covered entities to work with service providers, such as Compliancy Group, that explicitly provide HIPAA risk assessment, compliance coaching, employee training, audit support, and will even verify compliance to help organizations in the event of a HIPAA audit. Such providers simplify compliance on your behalf, helping to demonstrate that your contracts with current and future IT providers meet HIPAA regulatory standards.

By understanding the HIPAA requirements that your small healthcare organization has a direct responsibility to meet, you can make sure that your IT vendors will handle the rest when it comes to establishing fully compliant practices.

For reprint and licensing requests for this article, click here.