What is HIPAA and Why Does It Matter for IT Service Providers?
HIPAA, the Health Insurance Portability and Accountability Act of 1996, was created by the federal government to protect the privacy of patients and streamline the health care administrative process.
For the most part, HIPAA isn’t a topic that many IT service providers would consider themselves experts on. Some might not even know what HIPAA is. Which sounds like, well…not the biggest deal. After all, why should the IT guy spend time researching some health care act, right?
While an encyclopedic knowledge of the HIPAA act isn’t necessary (impressive, yes, but not necessary), every IT provider should have a basic understanding of HIPAA and what they need to do to ensure compliance.
If you’re an IT professional unfamiliar with current HIPAA rules and regulations, you may be thinking, “Compliance? I don’t work for a healthcare company and I’ve got nothing to do with HIPAA! “
Not all IT service providers deal with HIPAA regulations, of course. However, if any of your clients are in the health care sector (even, for example, a law firm that deals with HIPAA-protected information), it’s important to take note of the following HIPAA regulation:
To take that a step further, it’s important to note what the terms “covered entity” and “business associate” mean, from HIPAA’s perspective.
- A “covered entity” refers to a health care provider, a health plan, or a health care clearinghouse—in other words, your health care client.
- The definition of “business associate” has been expanded considerably, and now includes anyone handling or maintaining electronic protected health information (ePHI). HIPAA regulations no longer differentiate between “having access to” and “actually accessing” ePHI. Also, subcontractors who work for business associates and have access to ePHI are also responsible for HIPAA compliance.
Many of my clients are under the assumption that in order to be considered a business associate, a contract or written agreement to such affect would have to be signed. Under HIPAA’s expanded definition of a BA, simply acting in a manner that would qualify you as a BA makes you one.
So, if you have health care clients and access to sensitive patient information (which, as an IT provider, you likely do) and/or are responsible in any way for handling or maintaining ePHI (which, as an IT provider, you likely are), you’re obligated to comply with HIPAA and may be liable as a BA.
As an IT service provider, one of your biggest responsibilities in terms of HIPAA compliance is password security. After all, no one’s going to look to you if there’s a break-in and physical files containing patient information are stolen. But what if a hacker gains access to the network and system files? Your client might turn to you for an explanation of how the breach happened.
Here are a few ways to strengthen your password security and maintain compliance with HIPAA:
Use a password management system (if you’re not already)
Regardless on the size of the company or the number of employees, a password management system should be used to manage password security and eliminate the “human error” factor—especially when dealing with a health care client, and especially when you consider just how many passwords/logins most employees use on a daily basis. Using a password management system allows you to easily enforce and maintain a smart password policy: automate strong password generation, automate the changing of passwords every three, six, or nine months, decide what permissions are authorized to who, and more.
Consider multi-factor authentication (MFA)
A business that uses only passwords for data access is using single-factor authentication. The user must only enter a password to gain access. Adding another required “factor” as part of the authentication process, like a number code from a token or one-time use code from a secure mobile app, is called multi factor authentication, and adds an extra layer of security that can make a huge difference in the event of an attempted security breach. MFA is quickly becoming the standard in enterprise security, and getting your client on board is sure to help you sleep better at night.
Train your clients and their employees on password security
HIPAA regulations clearly spell out that employees dealing with ePHI must be trained on work-related security. Speak with your client to set up regular trainings and ensure all employees understand the basics of password security and why it’s so important.