2014.11.19 Tech Corner

HIPAA Compliance is Not Just for Doctors’ Offices

Article By: Rich Silva – Founder – Pain Point IT Solutions, Inc.

At some point in time most of you have read an article here and there about HIPAA Compliance. For those of you who don’t know, HIPAA is the acronym for The Health Insurance Portability and Accountability Act. For those of you who have read an article and pushed it aside thinking that since you’re not a medical practice, it has nothing to do with you; please read on.

Initial Intention of HIPAA Law

The initial intention of HIPAA law in 1996 was to set the framework for establishing later laws on how patients information was to be stored and shared. Today, over 750,000 hospitals, emergency clinics, dental office, and other health related entities are required by law to have a specialized IT risk assessment to satisfy the requirements of HIPAA.

The Evolution of HIPAA

The law when written in 1996 was purposely vague to allow flexibility in the law for it to evolve as technology and ways that medical information was transmitted changed. In 2003, the law defined what exactly is protected (PHI – Protected Health Information). In 2005, the law defined the framework for ePHI, that is the electronic version(s) of PHI. This was largely ignored from 2005 until recently. In 2009, the HITECH act was passed within the ACA (Affordable Care Act – a.k.a. Obamacare) and amended to the law to fund increased HIPAA enforcement.

Now Here’s Where YOUR BUSINESS Comes In.

The HITECH portion of the law, combined with the HIPAA Omnibus Final Rule in 2013 defined the roles of BA’s (Business Associates) in HIPAA compliance. BA’s are now required to comply and be liable for penalties. BA’s are now responsible for their subcontractors as well.

Are You Classified as a Business Associate ?

Covered Entities (CE’s) such as Health Care Providers who bill electronically, or health plan providers are obviously in need to be compliant, or face audits and fines. However, as a business associate that supports these CE’s; you will be tasked when the CE’s get audited to prove you too have taken measures to be ePHI compliant according to the law. So examples of companies that come in contact with ePHI are attorneys, accountants, data center and cloud providers, managed IT service providers, shredding companies, document storage companies, collection agencies, EMR companies, EHR companies, Insurance agencies, revenue cycle management vendors, transcribers, and the list goes on.

A Word About the Audits ?

In 2011, the OCR (Office for Civil Rights) was commissioned to head the efforts of developing and implementing the audit protocols for HIPAA compliance. The pilot program was developed and implemented in 2012. It found that 66% failed to preform a comprehensive accurate IT assessment. That was a good enough reason for them to approve and proceed with the real audits. As of October 2014, the audit protocol contains 169 items, 40 are tagged REQUIRED, 27 ADDRESSABLE, and 102 are labeled N/A; which basically means that once they realize they can make more money in fines from them, they will be upgraded to REQUIRED. This isn’t going away folks; and it now has teeth.

How Can You Prepare ? Call Pain Point IT Solutions.

Pain Point IT Solutions can help you prepare for the inevitable question(s) you’re going to get from the Covered Entities you help support. We have the means to come in and complete an IT assessment that was developed with the HIPAA law in mind so that you don’t get caught with your proverbial pants down. Companies that demonstrate awareness and have taken real steps towards understanding what their HIPAA issues are will be in a much better position when called upon by the CE’s they support or auditors if they are targeted directly. Please e-mail or call us at gotanitpainpoint@painpointitsolutions.com or 845-249-2889 to set up a 10 minute phone call with me. I guarantee you’ll see the way I think about you and your organization’s short and long term IT planning differs from what you have in place now.