IT providers, do you have clients in healthcare? Do you handle their patient data? If yes, then you are almost certainly required to protect that data by HIPAA.
HIPAA calls this data “electronic protected health information,” or ePHI. Essentially, it is electronic information about a patient. It can be anything from a patient’s phone number to a recent diagnosis.
HIPAA requires healthcare organizations to protect this data. It also requires their “business associates” to protect it – and that includes their IT service providers.
A business associate is anyone who handles ePHI as part of a service for a client covered by HIPAA. If you create, receive, maintain, or transmit ePHI for a client, then it is almost certain that you are the client’s business associate.
Business associates can be held liable for not meeting HIPAA’s guidelines to protect ePHI. They can receive massive penalties if found out of compliance.
In some situations, they might even be liable if a client fails to comply and suffers a breach -- even if the breach has nothing to do with the associate.
So far, HIPAA penalties have focused on healthcare organizations and not their business associates. However, that is expected to change very soon.
The federal agency responsible for HIPAA enforcement, the U.S. Office of Health and Human Services Office of Civil Rights (OCR), sees business associates as a weak link in the chain of security that surrounds ePHI.
According to one official, business associates are responsible for 60% of major PHI breaches that affected more than 500 people.
“It’s become clear business associates have a disproportionate impact,” said the official, David Holtzman, a health information privacy specialist at the OCR.
While no one likes to be scrutinized, there are steps you can take to prevent it from affecting your organization.
First and foremost, if you have clients who are covered by HIPAA, then do all you can to make sure you comply with the guidelines. Find a professional who specializes in this area. Work with them to review your client relationships and know your obligations.
Second, look at any healthcare clients who seem dismissive of HIPAA’s guidelines. If they suffer a breach and receive fines, you might share in those fines if you’re not careful.
Limit your exposure to these clients beforehand. Consultant an attorney to assess how to reduce or eliminate your risk.
For example, you might want to define your relationship with a client in legal terms and make it clear that you are not a “business associate.” To do that, you will likely have to demonstrate that you do not handle ePHI regularly for the client and any access you have to it is incidental and temporary.
You might also want to go a step further:
Sign an agreement with the client stating that if the client is penalized and you are held liable as a business associate then you will be held harmless for all expenses or losses related to the event.
These are just ideas. Be sure to consult your attorney.
HIPAA is an opportunity for IT providers to increase sales. But just like every opportunity, a balance must be struck between risks and potential rewards.
You can help shift that balance in your favor by reviewing your “business associate” relationship with each client and limiting your exposure to any that fail to take HIPAA seriously.
Do that and the “rewards” side of the sale might land right in your lap.
HIPAA for IT Service Providers: Top 5 questions