Technology Blog »

IT Support Also Needs to be HIPAA Compliant

IT Companies need to be HIPAA Compliant

Healthcare as a profession is complex no mater which way you slice it.  Whether you are a doctor, psychologist, medical practice, clinic, laboratory or even a medical billing company it is challenging enough without the added burden of trying to understand the seemingly never ending list of HIPAA rules, regulations, suggestions and responsibilities, especially when it comes to technology which may or may not be your thing.

First off a few basic things you need to know when it comes to HIPAA and your technology outsourcing

Business Associates and Business Associate Agreements

You will need to have a BAA in place with any vendor or contractor that has access to any ePHI (electronic protected health information) so this includes your IT vendor as they will often have access to ePHI. Often one of the most commonly overlooked items that can have a devastating consequence for your practice during a HIPAA audit is discovering that you overlooked have a BAA in place with your IT vendor or that you're using an IT company that is not HIPAA compliant.  At the end of the day the responsibility falls on you and you can't transfer your responsibilities and you shouldn't just assume that they are compliant.  By having the BAA in place you are ensuring that the vendor you use has to acknowledge and abide by HIPAA regulations.

What Happens If I don't have a BAA in place with my IT Vendor? Some of the largest fines to date have been handed down for failure to have a BAA in place.  A $5.5 million dollar penalty was handed down this year to a Hospital in Chicago and one of the 3 major reasons for this landmark penalty was not having a BAA in place with just 2 of their technology vendors who had access to ePHI, completely avoidable.

Where do I get a BAA?  The government makes sample BAA's available to you on their website or you could contact us and we will supply you with a free BAA document.  Do you have a Business Associate agreement in place with your IT consultant?     

The bright side of things is that compliance and regulations have become slightly more transparent over the past year. However, there are still a few areas that offices are still being penalized for HIPAA violations. It's not necessarily negligence; usually it is simply a lack of requirement knowledge and understanding. Yet when it comes to Federal Law this is a black and white issue that carries significant penalties (such as criminal negligence chargers and fines upwards $100,000). 

You're not alone. Certainty over which areas of your IT meet compliance and those leaving you vulnerable to penalty is a hassle. There is good news though. Assessing the entirety of your IT for HIPAA compliance doesn't have to be your hassle. IT consultants will happily do this for you. Better yet, having a partnership agreement with a Managed Service Provider (MSP) like Delaney Computer Services not only ensures you are compliant - it keeps you compliant after an assessment or audit is complete. 

However, if your business has not made the smart move of outsourcing your IT to an MSP, here are three HIPAA rules and regulations you should know:

ALL of your information must be HIPAA Compliant (not just EHRs)

Does your office contain individually identifiable ePHI data sets on-site? Let me tranSLAte that from geek-speak to English: Do you have information such as billing records, appointment information and test results at your business site? If you do they must be kept on HIPAA compliant devices, as well as stored on secure servers.  A lot of medical practices using cloud-based storage overlook this. Sure, it is efficient to have your EHRs on the cloud and easily accessible. But make certain that the rest of your ePHI data is protected as well. This simple mistake is resulting in some major fines.

Your protected health information notice must be available online 

Hopefully there are not many practices or businesses that still do not have a website. If you are one of those that don't, you may skip ahead. Those of you that have a website, keep reading. HIPAA rules dictate that your website needs to contain an updated copy of your protected health information notice at all times. This notice must be accessible to patients. If your website does not currently have an up-to-date copy of this notice posted, it is highly advisable you make it a priority. It is easy to put it off and can be a hassle if there is no tech savvy person at your office, but the penalty for non-compliance is costly. 

Healthcare business associates also must be HIPAA-compliant

Thought this isn't going to be relevant to your business? Contrary to the belief of some, it's not just practices, healthcare clearinghouses and health plan organizations that are required to be HIPAA compliant. Any other business that has access, electronic or otherwise, to protected health information is required by law to be HIPAA-compliant. This includes any accounting or law firms you work with that access your files electronically. Take this simple suggestion: ask your associates if they are HIPAA compliant.

If they are, go the extra mile and ask them the last time they assessed the situation.

If they are not, immediately revoke their file access. Do not grant them access until they take corrective action, as it is both of you that would be penalized.            

Not sure if you’re 100% HIPAA-compliant?

Losing sleep over Technology Problems, Data Encryption and Security Threats?

Delaney Computer Services employs individuals who are extensively trained and familiar with all HIPAA regulations and requirements. DCS has experts who can run the necessary risk analysis and assist in correcting any areas of your technology that are leaving you vulnerable to criminal chargers or hefty fines.