HIPAA Compliance for IT Providers: Top 5 questions
Here are answers to 5 FAQs to get you started:
- What is HIPAA?
- Who has to comply?
- Does HIPAA affect IT service providers?
- How can IT service providers comply?
- Where can I learn more?
What is HIPAA?(Top)
HIPAA is an acronym for the Health Insurance Portability and Accountability Act. The act originally passed in 1996 and has since been updated and expanded several times. “HIPAA” is used generally to refer to the original act and its later changes.
HIPAA sets a broad range of standards for the administration of healthcare. Many of them affect the management of “protected health information” (PHI). PHI is typically associated with a specific patient, such as a person’s blood test results or appointment dates. It is sometimes described as “personally identifiable health information.” It can be written, verbal, or in any other format.
The electronic form of this information is called ePHI. HIPAA outlines specific standards for protecting this data, including requirements for network security and management. Organizations that are covered by the act must protect all ePHI that is received, created, maintained, or transmitted.
Who has to comply with HIPAA?(Top)
HIPAA classifies those who must comply into three groups:
- Covered entities – Healthcare organizations that handle ePHI. They include most health plans, healthcare clearing houses, and healthcare providers.
- Business associates – Service providers who receive, create, maintain, or transmit ePHI for a covered entity. Examples include services for medical transcription, insurance processing, and network management. Additionally, the subcontractors of business associates who handle ePHI are also subject to the rules.
- Workforce – All employees, volunteers, and trainees of a covered entity or business associate. This includes anyone who is under the “direct control” of the organization, whether or not they are paid.
Does HIPAA affect IT providers?(Top)
IT service providers are typically considered “business associates” of their healthcare clients. This requires them to comply with portions of HIPAA.
For example, most MSPs and VARs are required to sign a “business associate agreement” with each healthcare client. These agreements contractually obligate the providers to protect the privacy and security of the ePHI they handle on the client’s behalf.
Furthermore, IT providers may need their subcontractors to sign a business associate agreement if they handle ePHI for the provider’s client.
To learn more, Download a Free Report
How can MSPs and VARs comply?(Top)
The most relevant section of HIPAA for IT service providers is referred to as the Security Rule. The Security Rule sets broad requirements for protecting ePHI. For example, covered entities must:
- Ensure the confidentiality, integrity, and availability of ePHI.
- Protect ePHI from hazards and threats.
- Protect ePHI from unauthorized use and disclosure.
- Ensure workforce compliance with the guidelines.
The guidelines to meet these requirements are also included in the Security Rule. MSPs and VARs who handle ePHI as part of their services must comply with the relevant provisions described in this section to be HIPAA compliant.
Where can I learn more?(Top)
: Section 45 of the Code of Federal Regulations – Part 160 and Subparts A and C of Part 164