The Federal Health Insurance Portability and Accountability Act (“HIPAA”), which protects the privacy and security of individually identifiable health information, remains one of the most confusing, overstated, and often ignored mandates impacting many small businesses. Whether you are a medical practitioner, or a business supporting medical practitioners, HIPAA can—and will—impact your operations.
For those of you who work administratively in the field of medicine, I’m sure HIPAA compliance concerns are all too familiar. However, for many there is no clear understanding of what it means to be certain of operating within the mandates of HIPAA compliance. For those of us in IT, everything falls on meeting the security risk analysis obligations under the HIPAA Security Rule.
So how do you determine if your operations and vendors meet those obligations? The Department of Health and Human Services and its agencies have released a Security Risk Assessment Tool (SRA), to assist small and mid-sized businesses subject to HIPAA. The SRA is defined as an assessment of the potential risks and vulnerabilities to the confidentiality, availability, and integrity of electronic protected health information (ePHI), held by a covered entity or vendor. As a requirement under HIPAA, the SRA is intended to help entities evaluate their HIPAA compliance by asking 156 questions that focus on information security compliance risks.
The tool can be found here: https://www.healthit.gov/providers-professionals/security-risk-assessment-tool and I would encourage its use.
While intended for medical facilities and practitioners, the SRA can lead to an understanding of HIPAA’s impact on third party vendors. For me, it raises several questions and concerns which your business operations may want to consider as well:
• Is your email, to a patient or vendor which may contain ePHI, encrypted?
• Is your BDR (Backup Disaster Recovery) solution and vendor HIPAA-compliant?
• Is your data encrypted when transacted (backed up off-site or with a cloud vendor)?
• Where is your archive data stored, and is it secure while at rest?
• How are you securing information on mobile devices?
• Do you offer remote access for your staff, and is it secure?
• Are your fax machines and printers in a secure location?
Many vendors will claim to be HIPAA-compliant, simply because they meet a few criteria. However, once someone with IT expertise asks specific questions, it’s all too often revealed that the vendor is only sort-of compliant. Under the HIPAA Act, mostly compliant equals non-compliant.
It is up to you to determine which vendors and associates are compliant, and which ones are not, before you engage in HIPAA sensitive transactions. Unfortunately, there is no certifying authority or accompanying certificate for compliance (yet). Most vendors are simply self-attesting. In order to truly be compliant they would need to perform a security risk analysis, network vulnerability assessment, and implement policies and procedures that would stand up to an audit. If that were the case you could simply ask for a copy of their yearly audit attestation report, and be confident they are HIPAA compliant. Just to add more confusion, a vendor’s sub-service contractor, with whom they transact with on your behalf, needs to be HIPAA compliant too–and it is your business’ responsibility to make certain they are.
What does all of this mean? For most business operations containing patient medical information (this includes law offices taking medical malpractice cases, freelance physical therapists, chiropractors, etc.), a careful audit of their IT operations and vendors is most definitely necessary. I can assure you from my personal experience sitting on a hospital Board; it’s better to be safe than sorry when dealing with HIPAA compliance. Ask a lot of questions, treat pretty much every bit of data as though it were ePHI, and have a good IT consultant resource for performing a Security Risk Assessment annually. As a business manager, it’s your responsibility to show due diligence and professional care in HIPAA compliance.
Did I mention the HIPAA Business Associates Agreement?
More to come…