New rules put many businesses at risk
New regulations governing the protection of patient health information went into effect in 2013, and any grace period for enforcement has come to an end. These changes strengthened the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act, regulations designed to protect patient data from accidental or intentional disclosure.
Now, any company that processes, stores or transmits personal health information directly or indirectly on behalf of a HIPAA-covered entity will fall under these newly expanded, stricter regulations.
Are you subject to HIPAA/HITECH now?
A major recent change involves who is affected by HIPAA. Before, the businesses most affected were primarily involved in providing medical services: hospitals, doctor’s offices and dentists, for example. Also, anyone involved in paying and processing insurance claim information was subject to the law. If you didn’t fall into one of these categories, you probably didn’t fall under the HIPAA regulations.
But today, the list of companies that are affected has just gotten exponentially longer, expanding many of the requirements to business associates that receive protected health information, such as contractors and subcontractors. According to the Department of Health and Human Services, the term “business associates” now includes firms that “create, receive, maintain or transmit health information for other businesses covered by HIPAA, the HITECH Act and their regulations.”
Doesn’t that sound like a telecommunications firm to you?
Your choice of a communications provider could jeopardize your business’ compliance. That includes telecommunications providers, as well as thousands of businesses that thought they didn’t have medical privacy issues. And if your business associates are affected, you might be subject to the new rules, too.
What should business owners and manager ask their communications services providers?
Because fines can be steep – up to $1.5 million for egregious violators – lots of business owners are confused about what they need to do to ensure that they handle these issues well, and that their “business associates” do, too. Here are some questions to ask representatives at the firms that provide your business phone service, fax services and call centers.
1. Are you a HIPAA-compliant business associate? Many companies aren’t, and having them as a business associate could risk your compliance if you use their services.
2. What steps has your company taken to ensure compliance? For telecommunications providers, compliance is an extensive, continuing process. Not only must they make sure their company complies, but they need to verify that their own circle of business associates is compliant.
3. Has your HIPAA compliance been assessed by independent experts? It’s important to get actual third-party verification, so that you don’t risk your firm’s compliance. Salespeople are often confused about the new rules themselves and could mislead you, so ask for third-party verification.
4. Can your telecommunications firm (business phone service, fax service, call center, Web conferencing provider, etc.) provide my business with a HIPAA Business Associate Agreement? Such an agreement attests that the issuing firm is handling HIPAA-covered information carefully and responsibly, and that it is “safe” to do business with the firm as a HIPAA-compliant business associate without jeopardizing your own compliance. In particular, “If you use a cloud-based service, it should be your business associate,” says David Holtzman of the U.S. Health and Human Services Office for Civil Rights, Privacy Division. And, he adds, “If they refuse to sign, don’t use the service.”
5. Can the services that you provide my business be configured to be HIPAA compliant? Some companies don’t even claim to provide compliant systems and warn customers away from relying on their services if compliance is needed. With a little digging (and these questions), you can find out which business phone service companies have made HIPAA compliance a priority.
6. Can you recommend particular configurations of our system to help us comply? Providers that make compliance a priority can often supply you with expertise or suggestions to help you comply, and they’re more likely to have a compliance officer who can explain what you need to do.
7. Can your firm provide encryption for both “data in motion” and “data at rest”? When information, such as phone calls and faxes, is being sent, it’s subject to regulations for data in motion. And when data is stored (data at rest), such as in voicemail and faxes, it should also be encrypted for protection. Many service providers don’t offer both forms of encryption, but some do. Choose wisely for the best protection.
Many businesses that are too small to support a compliance officer or department are understandably intimidated by HIPAA compliance issues. But a few communications providers are increasingly shouldering more of the burden of compliance, so picking the right one is critical.
One company using a HIPAA-compliant solution is ICANotes, provider of a Web-based electronic healthcare records solution for psychiatrists and other behavioral health professionals. The company chose a HIPAA-compliant business VoIP solution for its business phone service and communications needs, in part because of the priority that the company places on HIPAA compliance.
“We rely on business VoIP communications services to help us run our business efficiently and securely,” says Jamie Morganstern, Operations Director at ICANotes. “With our HIPAA-compliant communications provider, we have safeguards in place to pledge the confidentiality and integrity of the health information of our customers.”
Your business can achieve HIPAA compliance, too. Asking smart questions goes a long way toward meeting that goal.
About the author
Mike McAlpen, Executive Director of Security and Compliance, 8×8 Inc.
