HIPAA Compliance: Evaluating Your I.T. Providers
At QCS, we have helped countless businesses in the healthcare industry get the services they need to maintain compliance with HIPAA (Health Insurance Portability and Accountability Act). We see it as a privilege to help you protect patient privacy and healthcare data.
We probably do not have to tell you that the penalties for violating HIPAA regulations are extremely costly, ranging from $50,000 per violation and up to $1.5 million per year. You cannot afford to be cavalier about your network or your data, so we offer the best-in-class solutions from top managed service providers to give you peace of mind.
Doing any IT work for a company that is required by the Health Insurance Portability and Accountability Act (HIPAA) to provide confidentiality for its information will require that IT business to also maintain HIPAA compliance. HIPAA applies to Covered Entities and their Business Associates.
HIPAA requires that access to confidential patient health information (PHI) be monitored by the Covered Entity or Business Associate. Access means the ability to create, edit, view or delete any component of the data. The system that holds the data must have logs which reveal who had access to the information, how it was accessed, and at what time.
A company providing services to another company that works with patient health information must ensure that its services comply with the physical, network and process security measures required by HIPAA. Such a company is considered a “Covered Entity” which must: ensure the confidentiality, availability and integrity of any electronic Patient Health Information that is transmitted, maintained, created or received by them; identify potential reasonably anticipated threat to the security and/or integrity of the information and then protect against such threats; protect the patient health information against reasonably anticipated, impermissible uses or disclosures; and ensure that any employees, contractors or agents of the Covered Entity comply also with HIPAA. A Business Associate is a company that provides services to a Covered Entity that in any way will impact that confidential information.
Under this definition, essentially all IT service providers will be considered a Business Associate for the purposes of HIPAA.
The security measures take three forms: technical, administrative and physical.
Technical security measures must monitor and ensure that only pre-screened, authorized personnel have access to the PHI. All access to PHI or the systems that contain the PHI must be logged and recorded. The modifications made by any access must be logged and tracked. Security must be sufficient enough to prevent unauthorized alteration or destruction of records.
Administrative security measures must be able to identify any potential risks to PHI and implement training and steps in an effort to remedy those risks. Management must appoint official security personnel tasked with ensuring compliance. This person must randomly assess and report on the effectiveness of the HIPAA compliant procedures and policies.
Physical security measures are those pertaining to the physical location in which such information will be stored (i.e. server location, doctor office). The facility must have limited physical access to the location, ensuring that only authorized personnel may enter. Further, physical access to terminals, servers, laptops, and desktops must be restricted only to those with access. The machines themselves should be restricted for access only by authorized personnel, such as locking the machines with a password, or preventing the removal of a laptop from the facility.
Business Associates must sign a Business Associate Agreement (BAA) certifying that they are and will continue to comply with HIPAA guidelines in their dealings with Covered Entities. Simply signing the BAA is not sufficient, the Business Associate must then follow the guidelines and implement policies and procedures consistent with HIPAA.