04 Dec What You May NOT Understand About HIPAA Compliance
If you’re involved in the health care industry in the U.S., you’re undoubtedly familiar with HIPAA (the Health Insurance Portability and Accountability Act of 1996). HIPAA was originally passed by Congress in an effort to standardize the health care industry, protect the privacy of personal health information and provide easier access to health insurance. Although many agree that a growing understanding of HIPAA compliance has been effective along those lines, others argue that the act has brought with it a mixed bag of improvements and a heavy amount of bureaucratic red tape.
Whether or not the red tape is a nuisance is of little consequence since the penalties for non-compliance can include stiff monetary fines or even a prison sentence. These penalties don’t just affect the health care industry itself – managed service providers are equally liable. There’s no doubt about it: when it comes to understanding HIPAA compliance, we all have a vested interest.
How Much Protection Does a BAA Provide?
If you work with a service provider or some other type of vendor, you’ve probably signed a BAA (Business Associate Agreement) as part of your business relationship. But that doesn’t necessarily mean that the entity you’re doing business with is compliant. It’s important to remember that a signed BAA does not completely protect your business. In fact, your health care organization will still be held liable for non-compliance even with a signed BAA in place.
Understanding HIPAA Compliance: Start with an Experienced Managed Services Provider
In order to adequately protect your business, it’s crucial that you make certain your provider is taking the following necessary steps to ensure compliance with HIPAA:
- The provider is using an up-to-date BAA form. On September 23, 2013, the Department of Health and Human Services implemented new HIPAA rules. At the same time, they allowed organizations 12 months to revise their BAAs to reflect those new rules. That one-year period expired on September 22, 2014, which means your provider’s BAA should reflect the revised rules.
- Make sure you understand exactly what measures your provider has in place to protect your data. As it turns out, it’s actually the responsibility of the health care organization to fully understand how its information will be protected and to obtain proof of what measures will be put in place by the provider.
- How about your provider’s subcontractors? Remember that many providers contract out a certain amount of their business to subcontractors. Once again, it’s the responsibility of your health care organization to make sure that your data is protected – not only by your provider, but by their subcontractors as well.
- Remember that safeguarding your data starts with your own employees. While it’s crucial to make sure your provider is protecting your data, don’t overlook the actions of your own employees. Are they downloading sensitive data to their home computers to put in some extra hours at home? Are they working at home on an encrypted laptop, but then emailing their finished project back to the office and inadvertently putting that data at risk? Even the most well-meaning employee can make any number of serious mistakes, thereby putting your entire organization at risk of becoming non-compliant.
- Talk to your provider about how they dispose of data. After your BAA expires, you need to make certain that your provider will take adequate steps necessary – with a method such as a secure shred wipe, for example – to make sure that your information is completely and permanently deleted.
With penalties such as exorbitant fines and long stints in federal prisons in place, it’s critical that we all do as much as possible to ensure that we remain HIPAA compliant. Rest assured that PointClick’s highly trained professional staff fully understand HIPAA compliance and its complexities. We are more than happy to provide you with all the information you need to ensure that your organization – and ours – remain compliant.