Healthcare as a profession is complex no mater which way you slice it. Whether you are a doctor, psychologist, medical practice, clinic, laboratory or even a medical billing company it is challenging enough without the added burden of trying to understand the seemingly never ending list of HIPAA rules, regulations, suggestions and responsibilities, especially when it comes to technology which may or may not be your thing.
Business Associates and Business Associate Agreements
You will need to have a BAA in place with any vendor or contractor that has access to any ePHI (electronic protected health information) so this includes your IT vendor as they will often have access to ePHI.
One of the most commonly overlooked items that can have a devastating consequence for your practice during a HIPAA audit is discovering that you have overlooked having a BAA in place with your IT vendor or in a lot of cases you're using an IT company that is not HIPAA compliant. What is key to know if that at the end of the day the responsibility falls on you and your HIPAA compliance officer to be HIPAA compliant and you can't fully transfer your responsibilities to someone else and ultimately you shouldn't just assume that they are compliant. You need to verify that you are working with an IT Support company that works with HIPAA covered entities and follows the rules. By having the BAA in place you are at the very least ensuring that the vendor you use has to acknowledge and abide by HIPAA regulations.
Some of the largest fines to date have been handed down for failure to have a BAA in place. A $5.5 million dollar penalty was handed down this year to a Hospital in Chicago and one of the 3 major reasons for this landmark penalty was not having a BAA in place with just 2 of their technology vendors who had access to ePHI, completely avoidable.
Do you have a Business Associate agreement in place with your IT support provider currently? The government makes sample BAA's available to you on their website or you could contact us and we will supply you with a free BAA document.
The bright side of things is that compliance and regulations have become slightly more transparent over the past year. However, there are still a few areas that offices are still being penalized for HIPAA violations. It's not necessarily negligence; usually it is simply a lack of requirement knowledge and understanding. Yet when it comes to Federal Law this is a black and white issue that carries significant penalties (such as criminal negligence charges and fines upwards $100,000).
You're not alone. Certainty over which areas of your IT meet compliance and those leaving you vulnerable to penalty is a hassle. There is good news though. Assessing the entirety of your IT for HIPAA compliance doesn't have to be your hassle. IT consultants will happily do this for you. Better yet, having a partnership agreement with a Managed Service Provider (MSP) like Delaney Computer Services not only ensures you are compliant - it keeps you compliant after an assessment or audit is complete, however if your business has not made the smart move of outsourcing your IT to an MSP, here are three HIPAA rules and regulations you should know:
Does your office contain individually identifiable ePHI data sets on-site? Let me tranSLAte that from geek-speak to English: Do you have information such as billing records, appointment information and test results at your business site? If you do they must be kept on HIPAA compliant devices, as well as stored on secure servers. A lot of medical practices using cloud-based storage overlook this. Sure, it is efficient to have your EHRs on the cloud and easily accessible. But make certain that the rest of your ePHI data is protected as well. This simple mistake is resulting in some major fines.
Thought this isn't going to be relevant to your business? Contrary to the belief of some, it's not just practices, healthcare clearinghouses and health plan organizations that are required to be HIPAA compliant. Any other business that has access, electronic or otherwise, to protected health information is required by law to be HIPAA-compliant. This includes any accounting or law firms you work with that access your files electronically. Take this simple suggestion: ask your associates if they are HIPAA compliant.
If they are, go the extra mile and ask them the last time they assessed the situation.
If they are not, immediately revoke their file access. Do not grant them access until they take corrective action, as it is both of you that would be penalized.
Delaney Computer Services employs individuals who are extensively trained and familiar with all HIPAA regulations and requirements. DCS has experts who can run the necessary risk analysis and assist in correcting any areas of your technology that are leaving you vulnerable to criminal chargers or hefty fines.