Safeguarding protected health information is becoming more challenging every day, especially for companies operating in healthcare verticals who do not always understand that compliance issues apply to them. Yet, under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, companies operating in a variety of healthcare verticals are categorized collectively as “Business Associates” and as such, are required to act in accordance with the HIPAA regulations.
Together, these rules establish national standards for how companies should handle sensitive patient data and ensure data confidentiality, availability, and integrity. HIPAA threw a curve ball at the healthcare industry, with mandatory requirements that sent providers scrambling to ensure compliance under HIPAA’s rules and regulations.
How Do You Define “Healthcare Companies”?
What kind of healthcare companies does this impact? The short answer: More than you think. Healthcare companies and anyone operating in a healthcare vertical include anyone who has access to electronic patient health information (ePHI) and any organization that stores, transmits or receives ePHI.
Companies operating in the healthcare space who are subject to HIPAA rules can include (but are not limited to) organizations that provide the following services:
- Revenue cycle management
- Coding/Documentation services
- Collection and A/R recovery services
- EHR SW and solutions
- Patient records management services
- Document management services
- Medical SW/SaaS services
- Mobile healthcare services or applications
- Healthcare IT services
- Practice management services
- Contract management services
- Radiation document and image management services
- Health plan administration and services
These are but some of the many companies operating in the above healthcare verticals who could be considered a Business Associate under HIPAA regulations. Any company that provides services to organizations defined by HIPAA as “Covered Entities” may well find itself subject to compliance regulations with which they are not familiar.
What are “Covered Entities”?
HIPAA defines “Covered Entities” as health plans, healthcare clearinghouses, and healthcare providers who electronically transmit health information in connection with transactions for which HHS has adopted standards. The HIPAA Omnibus Final Rule goes into stipulations for Business Associates in greater detail. What BAs should take away from the Final Rule is that they may be held liable in the event of a HIPAA breach in many of the same ways that Covered Entities (CEs) may be.
The Cost of Noncompliance
The risks and costs of being found non-compliant can be steep. The Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) recently agreed to a settlement for potential HIPAA violations caused by the theft of a mobile device that contained the ePHI of 412 patients. According to the U.S. Department of Health and Human Services notification, the CHCS provided management and information technology services as a Business Associate to six skilled nursing facilities. The settlement included monetary payment of $650,000 and a corrective action plan.
In a statement relative to this case, U.S. Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels said “Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” said Samuels. “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”
According to HIPAA Journal and the Annual Cost of a Data Breach Study by the Ponemon Institute and IBM Security, the average cost of a data breach is now $3.86 million. This is an annual increase of 6.4 percent. The per capita cost of a data breach has risen by 4.8 percent, from $141 per record in 2017 to $148 per record in 2018.
The Importance of the Business Associate Agreement (BAA)
Healthcare companies, vendors, or providers who qualify as Business Associates are required to sign a HIPAA Business Associate Agreement (BAA). The document is an integral part of any contractual agreement with any provider of services, products, or applications, and must provide detailed information explaining how the Business Associates will respond to a breach of any kind, including one caused by any subcontractors used by the Business Associates. The BAA must also describe how a Business Associate will respond to an audit by the Office for Civil Rights (OCR).
HIPAA rules hold Covered Entities responsible for their own data breaches, as well as, many of the things over which their Business Associates have direct control. If a covered entity is audited, their Business Associates may be required to provide certain files or documents in a very short amount of time, as prescribed by HIPAA. The BAA acts almost like a service level agreement (SLA) that ensures these, and other needs will be promptly met.
For companies of all types and all sizes, this is serious business—and the regulatory authorities are intensifying their focus on any business operating in the healthcare space as it relates to compliance. Fines are being assessed with increasing regularity and all businesses operating in the healthcare space should take note.
To illustrate the importance of a having a BAA in place, a Raleigh, N.C. orthopedic clinic agreed to pay $750,000 to settle charges that it potentially violated the HIPAA Privacy Rule by handing over protected health information (PHI) for approximately 17,300 patients to a potential business partner without first executing a Business Associate Agreement.
“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said Jocelyn Samuels. “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”
HHS provides a template for business associate agreement language on its website to help covered entities and business associates execute agreements that address the business associate contractual requirements.
How Can You Manage HIPAA Compliance Issues?
Compliance with HIPAA regulations are a long-term process and at times can feel overwhelming. Yet, for companies operating in the healthcare industry, the risks associated with non-compliance are huge. Staying apprised of changes to HIPAA regulations can be a daunting task, but here are some actions you can take to make sure you know the latest.
1. Know Where to Find Resources. The Office for Civil Rights (OCR) provides a wealth of online information about safeguarding ePHI including FAQs, guidance, and technical assistance materials. One easy way to stay updated is to sign up for the OCR announcement-only Privacy and Security Listservs.
2. Ask Questions. It is critical that you ensure any Business Associates with whom you work with fully understand their responsibilities and obligations regarding compliance. Take the time to ask and answer questions and highlight the HIPAA compliance requirements for business associates. These questions can include:
- What is your risk analysis plan?
- Do you encrypt your devices?
- What are your disclosure policies?
- What are your IT practices?
- How do you handle server maintenance and backup information?
- Do you or your employees use personal devices for ePHI?
- What are your password policies?
- Describe company’s the physical security.
- Do you do background checks or your employees?
- What kind of training do you supply your employees?
- What are your disclosure policies?
- What is your breach mitigation plan?
3. Explore HIPAA Compliant Hosting. HIPAA compliant hosting can alleviate some of the concerns that accompany being a business associate in a healthcare vertical. By working with a hosting provider that employs HIPAA compliance processes, healthcare-focused companies can construct a comprehensive plan that will, when combined with workplace safeguards and internal best practices, allow vendor partners to reach HIPAA compliance collaboratively. This collaboration of efforts is key, since HIPAA compliant hosting alone cannot eliminate risks that exist inside the workplace. However, it can help mitigate threats to ePHI and also afford easier access and management of a company’s IT infrastructure.
By taking action to evaluate your organization’s level of compliance with HIPAA rules—and that of any business associates with whom you work—and staying on top of HIPAA regulation changes and updates, you will ensure your company is maintaining the appropriate level of compliance and avoiding the risks and penalties of non-compliance.
LightEdge Know HIPAA Compliance and Security
LightEdge has HIPAA secure data center locations at our Des Moines, Kansas City, Omaha, and newly acquired Austin and Raleigh data center facilities. With LightEdge, you can achieve auditable HIPAA compliance. With a specific background working with healthcare organizations, our data center and hosting solutions provide you with confidence you need to meet HIPAA requirements.
LightEdge offers a free risk assessment from our Chief Security Officer and Chief Compliance Officer as a free resource to all of our customers. Compliance and security are top priorities to guarantee that your data is protected. While there is no certification for HIPAA, LightEdge has successfully undergone a third-party examination against the HIPAA Security Rule and has been issued a Type 1 AT 101 letter of attestation confirming our alignment with HIPAA safeguards. LightEdge is compliant with:
- ISO 27001
- ISO 20000-1
- SSAE 18 SOC 1 Type II, SOC 2 Type II and SOC 3
- PCI DSS 3.2
If you are interested in getting a risk free assessment from our healthcare compliance experts, a tour of any of our HIPAA compliant data centers or to learn more about LightEdge’s compliance offers, contact us here. We have cloud hosting security and compliance experts standing by to answer any of your questions.
If you want to learn more about HIPAA compliance download our two e-books, Patient Privacy and Data Security: Utilizing IT Vendors to Meet HIPAA Compliance and Avoid, and How to Deploy a Secure Compliant Cloud for Healthcare.
- Control the Risks of IoT and BYOD in Healthcare: Part I
- Control the Risks of IoT and BYOD in Healthcare: Part II
- How to Ensure Compliance in the Cloud Infographic
- HIPAA in the Cloud Infographic
- HIPAA Guidelines: Maintaining Security and Compliance in the Cloud