Help your users become HIPAA Compliant
In January 2013, the United States Department of Health and Human Services (HHS) issued their new omnibus rule that governs the protection of patient personal health information.
Traditionally, HIPAA has set strict guidelines for safeguarding patient protected health information within the confines of the healthcare organization. Often this includes the insurance provider, health plan, hospitals, doctors and their offices. With the new rules and regulations that took effect in March of 2013, HIPAA has added “business associates” to the list of firms that can be held responsible for a breached or compromised patient health information file. Now any company, contractor or subcontractor, including MSPs (managed service provider), that works directly for a healthcare organization must comply to HIPAA regulations.
All MSPs Must Comply
Many managed service providers do not directly handle confidential patient data as a core element in their business. However, the possibility exists that the information could be stumbled upon in the course of doing business with the healthcare organization such as a physician’s office. A managed service provider utilizing their help desk operation could gain access to the healthcare provider or medical office’s computer remotely, and end up viewing confidential patient data. Other scenarios include the managed service provider accessing protected patient information while migrating the personal data from a laptop or server to a larger drive.
The new HIPAA rules clearly state that any data storage company that can have access to a patient’s protected health information – either hard copy or digitally, will automatically qualify as a business associate. This includes entities that do not actually view the information, or only sees it infrequently or randomly. This stern language naturally suggests that managed service providers that provide remote backup services, using cloud technology, to their clientele would automatically be classified as a business associate.
Now that MSPs are classified as a business associate, whether or not they actually function as a business that utilizes protected health information, they will need to follow all the strict compliance steps. The requirements will include written procedures, policies, training and full proof that the MSP is following HIPAA compliance.
The Department of Health and Human Services has set strict penalties and fines for any healthcare organization and their business associates for noncompliance. The highest fines can top out at $1.5 million for each violation.
The Privacy Rules
For the health care organizations, all business associates must follow the definition of the HIPAA privacy rule. It places limits on how protected health information can be disclosed, used, handled or transmitted. The rules require a full accounting of all disclosures. When transmitting data, it needs to be encrypted. Any data stored using cloud technology must be maintained and transmitted through an encrypted format.
Expected Security Measures
A portion of the final security rule, as defined by HIPAA, governs every process that is utilized when providing protection of all patient’s PHI ( Protected Health Information). These safeguards should include:
- Clearly defined access control procedures, policies and technology to safeguard against unauthorized access to PHI.
- Implemented protocols of locked and restricted areas where all protected health information is stored.
- Implemented data backup, emergency operations plans, and a disaster recovery plan.
- Implemented proven technical security mechanisms including encryption technology when transmitting PHI over a network.
HIPAA regulations provide the pathway for additional provided security services, where managed service providers can assist their clientele in becoming fully HIPAA compliant. Providing a continuous compliance tracking service to clientele, the managed service provider can offer a service they might not already incorporate into their core business.