How the HIPAA Security Rule Affects Your Business
By Brian Shrift, HCISPP
When most business people think about HIPAA, they often write it off as applying only to those in the healthcare industry. However, even if you are not in the healthcare industry yourself, your business could be subject to HIPAA if you work with clients in the healthcare industry or if your clients work with clients in the healthcare industry.
If you work with hospitals, physicians, pharmacies, therapists, dentists, chiropractors or any other business which is considered a “Covered Entity” under HIPAA, you may be considered a “Business Associate” and subject to the HIPAA Security Rule. In addition, if your clients are considered Business Associates, you may also become a Business Associate, identified in the HIPAA rules as a “downstream vendor.”
If you are a Business Associate, either directly or as a downstream vendor, you must, among other things, comply with the HIPAA Security Rule (the “Security Rule”). The Security Rule’s primary objectives are to ensure the confidentiality, integrity and availability of protected health information (“PHI”). In plain English, the law was written to ensure that adequate safeguards are in place to protect patient information from unauthorized access and disclosure, improper alterations or deletions, and to assure it is accessible when needed.
The Health Information Technology for Economic and Clinical Health (“HITECH”) Act was enacted as part of the 2009 stimulus bill. One of the primary purposes of the HITECH Act was to provide a series of amendments, clarifications and updates to HIPAA – including a significant increase in enforcement activities and penalties. The HITECH Act also marked the first time that Business Associates could be found to be directly liable for HIPAA violations.
It is worth noting that while the Security Rule has been in force since 2006, the minimal penalties that were initially levied for noncompliance created little incentive for healthcare providers to invest in compliance. With the HITECH Act ushering in penalties up to $1.5 million, noncompliance became a costly risk.
Q & A
Our business doesn’t involve medical records. We’re their accountant. Why does this apply to us?
First, being a Business Associate does not require having possession of what is generally thought of as a medical record. Therefore, it is important to understand the role of a Business Associate. The U.S. Department of Health and Human Services has defined a Business Associate as follows:
A “Business Associate” is a person or entity, other than a member of the workforce of a Covered Entity, who performs functions or activities on behalf of, or provides certain services to, a Covered Entity that involve access by the Business Associate to protected health information. A “Business Associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another Business Associate.
In the above definition, if you merely have “access” to PHI, then you’re considered a Business Associate.
I still don’t understand why this applies to me, I only have financial information from my clients. I don’t have access to any of their patients’ medical information. All I have are names and addresses in QuickBooks for billing and collections.
Having access to the patient’s name and address is the reason you’re considered a Business Associate, as both the patient’s name and address are considered PHI. Here are just a few of the 18 identifiers which are considered PHI: Name, Address, Phone Number, Fax Number, Email Address, Social Security Number, and Account Numbers.
So I’m a Business Associate, what does that mean?
Being a Business Associate means that you are subject to compliance with the Security Rule, just like your Client.
The Security Rule focuses on three core areas: Administrative, Physical and Technical Safeguards. The following review covers just a few of the items from each of these three areas. This information will provide a better understanding of some of the requirements for Business Associates as you consider your compliance activities.
Administratively, a Business Associate is required to have an accurate inventory of its hardware and software which contain PHI. This accurate inventory is crucial for determining the devices that need to be protected from viruses and spyware, have their logins monitored and passwords managed. Furthermore, not only does each of the Business Associate’s employees require a unique login, but each employee should only be granted access to the PHI required for them to complete their specific job tasks.
Physical safeguards ensure that traditional safeguards are in place to protect your equipment such as locked doors, screen barriers, cameras, etc. A data backup is also required, which should be maintained offsite to ensure PHI is not lost in the event of a disaster such as a fire, flood or theft.
Technical Safeguards address the way in which Business Associates manage electronic PHI (“ePHI”). Many of the technical safeguards elaborate upon the Administrative Safeguards. They detail things such as the type of backup policies you have in place in the event that your data is lost or otherwise inaccessible, the encryption policies you have in place, or how your organization effectively recovers from an emergency to resume normal operations (your emergency mode operations plan).
I don’t want to have to do all of that. I like debits and credits, and love a good Sales and Use Tax Audit. How can I do my job and not be subject to HIPAA?
Unfortunately, that’s challenging. The only way to exclude yourself from being a Business Associate, is by having zero access to PHI. Can you effectively perform the tasks required by your client without accessing PHI? Are you going to stop visiting and working from your client’s office? Clients may not be willing to make these accommodations, particularly if this reflects a substantial change from your current operations.
What can I do to comply with the HIPAA Security Rule?
Your first action item will be to speak to an IT Consultant who specializes in HIPAA. Your attorney can also be a great source of information and guidance when it comes to HIPAA, particularly the privacy rules that have not been addressed in this article but are also required for complete HIPAA compliance. The Security Rule, on the other hand, is quite technical and you will need the expertise of an IT Professional to provide the comprehensive technical experience needed.
For more information on the Security Rule and the HITECH Act, please visit our website: HIPAASecurityHelp.com.
Brian Shrift is President of Precision Business Solutions. Mr. Shrift is a certified HealthCare Information Security and Privacy Practitioner.