The Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Bill Clinton in 1996 and provides federal protections for individually identifiable health information held by Covered Entities and their Business Associates (BA).
Covered entities include: doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies. If your business provides services to a covered entity you may be considered a Business Associate whether you realize it or not and subject to HIPAA.
Why is this important? Because if you are a BA and do not comply with HIPAA, your company can be heavily fined depending on the class of violation and circumstances. The fact is that many small business, such as law firms, accountants, etc. have Covered Entities as clients and may not realize that they are expected to comply with HIPPA regulations.
For instance, a local law firm handling cases for a small clinic or doctor’s office may be considered a Business Associate. A great article on 4medapproved.com explains this concept in detail.
Courts have been taking action. In 2013, the owner of a medical supply company in New York was convicted of wrongful disclosure of private patient information among other things. In another case, a company settled with the Government when it was informed that a copier that was formally leased by them and subsequently sold to another company by their leasing agent contained client files on the copier’s hard drive that were never erased.
An internet search will undoubtedly list many more examples of violations and fines being levied on businesses of all sizes.
What to do:
- Go to the U.S. Department of Health & Human Services website and find out about HIPAA and the rules governing Covered Entities and Business Associates. If needed, seek legal counsel to determine your obligations under the law.
- Implement policies and procedures to detect, prevent, contain, and minimize security violations.
- Make sure that only appropriate personnel have access to electronic health information and have procedures and systems in place to prevent unauthorized access.
- Confirm that health information is securely wiped out and the media destroyed when discarding equipment. Merely deleting information from the hard drive is not good enough.
- Make sure your network is protected by a firewall and attached systems have updated anti-virus and anti-malware software.
- Ensure that backup files being transmitted to Cloud servers are appropriately encrypted in transit and are saved in HIPAA compliant data centers.
- Finally, if you are a Covered Entity or Business Associate (BA), consult with your IT provider regarding network, server, and workstation security.
XSolutions will be happy to discuss your system’s security with you. Call us at (845) 362-9675.