The HIPAA rules require health care providers, such as physicians, hospitals, pharmacies and insurance companies (called covered entities), to comply with two sets of rules those regulating patient privacy and those regulating security of health information.
When a covered entity discloses patient information to an outside vendor and the vendor uses the information to carry out or assist with the covered entity’s business, that vendor is a business associate. A wide variety of businesses including data processing firms, technology firms, accounting firms and law firms that serve health care providers are possible business associates. HIPAA requires covered entities to have a written contract with all business associates in which the associate agrees to comply with certain rules and standards.
Chances are, if your company is a business associate with a covered entity, you already know it. The HIPAA privacy rules went into effect in 2003. The privacy rules required that covered entities have written agreements with their business associates prior to that date.
Although the rules provide certain minimum standards that must be included in the agreements, many covered entities included additional provisions, such as indemnification provisions, that made it important for companies to evaluate each proposed agreement carefully. These negotiations were often painstaking, and for large companies that provide services to numerous covered entities, time-consuming.
Just when the privacy agreements were being completed, the second set of HIPAA rules the security rules became final. Covered entities now must also comply, and make sure their business associates comply, with security rules that apply to electronic health information. Thus, most business associate agreements were amended to include new security standards. Business associates must comply with the following key practical requirements in the security rules.
- Implement administrative, physical and technical safeguards to reasonably and appropriately protect the confidentiality, integrity and availability of electronic health information that they receive, maintain or transmit on behalf of the covered entity
- Ensure that any subcontractors or agents agree to implement reasonable and appropriate safeguards to protect the electronic health information provided to them
Despite almost a thousand pages of HIPAA regulations, the above paragraphs are substantially all of the guidance the government provides on what business associates must do to satisfy their duties to the covered entities that are their customers. In most cases, a common-sense approach is all that is needed to comply with these standards.
Consider the safeguards you have in place for your company’s most sensitive business information, such as your customer list or payroll information, and safeguard health information the same way. The following are some practical tips for meeting these rules.
- Educate your work force on the importance of health information security.
- Evaluate security risks within your business and incorporate health information into your contingency plans.
- Use electronic security systems already in place to safeguard health information.
- Scrub health information when disposing or reusing hardware electronic media.
- Control who is accessing or using health information and for what purpose.
- Control who has the ability to change or destroy health information by using unique logins and password protection of computer workstations
Ellen L. Luepke is an associate in the Chicago office of Barnes & Thornburg LLP. She concentrates her practice in the regulatory and transactional aspects of health care law. Reach her at email@example.com or (312) 214-8319.