Here are answers to 5 FAQs to get you started:
What is HIPAA?
HIPAA is an acronym for the Health Insurance Portability and Accountability Act. The act originally passed in 1996 and has since been updated and expanded several times. “HIPAA” is used generally to refer to the original act and its later changes.
HIPAA sets a broad range of standards for the administration of healthcare. Many of them affect the management of “protected health information” (PHI). PHI is typically associated with a specific patient, such as a person’s blood test results or appointment dates. It is sometimes described as “personally identifiable health information.” It can be written, verbal, or in any other format.
The electronic form of this information is called ePHI. HIPAA outlines specific standards for protecting this data, including requirements for network security and management. Organizations that are covered by the act must protect all ePHI that is received, created, maintained, or transmitted.
Who has to comply with HIPAA?
HIPAA classifies those who must comply into three groups:
Does HIPAA affect IT providers?
IT service providers are typically considered “business associates” of their healthcare clients. This requires them to comply with portions of HIPAA.
For example, most MSPs and VARs are required to sign a “business associate agreement” with each healthcare client. These agreements contractually obligate the providers to protect the privacy and security of the ePHI they handle on the client’s behalf.
Furthermore, IT providers may need their subcontractors to sign a business associate agreement if they handle ePHI for the provider’s client.
To learn more, Download a Free Report
How can MSPs and VARs comply?
The most relevant section of HIPAA for IT service providers is referred to as the Security Rule. The Security Rule sets broad requirements for protecting ePHI. For example, covered entities must:
The guidelines to meet these requirements are also included in the Security Rule. MSPs and VARs who handle ePHI as part of their services must comply with the relevant provisions described in this section to be HIPAA compliant.
: Section 45 of the Code of Federal Regulations - Part 160 and Subparts A and C of Part 164