Most medical practices are aware of the HIPAA and HITECH requirements that affect their organizations, and the fines that they face if they are not compliant in the ways they handle patient health information (PHI).
What a lot of professionals don’t know is that a recent addition to the HIPAA and HITECH regulations holds business associates, (i.e. other professionals from other companies who have access to patient health information) just as responsible for sensitive patient data privacy and protection as the medical practices who own that information. And, these organizations are just as subject to significant fines for putting that information at risk. Proof of PHI security and compliance must be made available for review by auditors, and non-compliance can result in criminal penalties, fines, and even imprisonment for individual owners, employees and business associates.
What Kinds of Business Associates Need to be HIPAA/HITECH Compliant?
A business associate is a person or entity who provides certain functions, activities, or services for or to a covered entity, involving the use and /or disclosure of PHI. A business associate is not a member of the health care provider, health plan, or other covered entity’s workforce.
- Technology companies that host others data (web hosting, data centers, etc)
- Self-storage (if medical records are stored)
- Building owners and management/maintenance companies (if they have keys to tenant offices, they potentially have access to their PHI)
- Financial service firms that sell life insurance
- A third party administrator that assists a health plan with claims processing.
- A CPA firm whose accounting services to a health care provider involve access to protected health information.
- An attorney whose legal services to a health plan involve access to protected health information.
- A consultant that performs utilization reviews for a hospital.
- A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
- An independent medical transcriptionist that provides transcription services to a physician.
- A pharmacy benefits manager that manages a health plan’s pharmacist network.
HIPAA Business Associate Requirements: To comply with HIPAA and HITECH regulations, covered entities and their business associates must prove they have appropriate PHI-handling processes in use. Likewise, covered entities must have written agreements and proof-of-compliance documentation from all business associates and subcontractors with access to PHI. When conducting audits, federal officials will check to see if organizations have implemented appropriate controls and safeguards to prevent unauthorized access and disclosure of sensitive patient data.
Click here for a free compliance review.
For more information on HIPAA/HITECH compliance and the HIPAA/HITECH compliance services that Skoda Minotti Technology Partners can offer to your medical practice or business associate organization, please call 440-449-6800.