The Health Insurance Portability and Accountability Act (HIPAA) is a law that governs data privacy. This is done by setting a national standard that protects patients’ data from being disclosed or shared without the patient’s consent. There are covered entities subjected to a privacy rule that contains individual rights to understand and control how their information is shared.
Typically, the HIPAA regulations cover healthcare providers and medical institutions as it addresses patients’ data privacy. However, HIPAA Compliance covers other businesses and people who aren’t necessarily in the medical business as long as they interact with this kind of information.
HIPAA regulations to non-medical businesses
Information regarding patients in a hospital could be stored on different platforms. This might not necessarily be under the total control of the healthcare provider. Also, it means there’s still a significant risk facing patient information. Any other business that gets involved in storing, sharing, or using patient information should be HIPAA compliant.
This article looks at how HIPAA applies to business associates that provide services to the HIPAA covered entities.
HIPAA on cloud service providers
Cloud service providers are also considered business associates to covered entities. Therefore, they have to be HIPAA compliant despite not being a medical business. The covered entity should ensure that the service provider is secure before using any cloud provider to store, process, or transmit Protected Health Information (PHI). This doesn’t mean only checking for a HIPAA compliance certificate but also performing risk analysis on the service provider to ensure there’s no risk of data breaches.
Therefore, the covered entity will need to obtain a signed Business Associate Agreement (BAA) form. They may do so from the provider before any protected information is uploaded to the cloud. The BAA should indicate the allowable uses, safeguards implemented, and explain all the HIPAA rules that apply to the service provider.
Service providers who don’t adhere to HIPAA rules can be fined even if they don’t view the data uploaded on their platform. However, a BAA doesn’t mean that the software provider will be HIPAA compliant, but it might help your covered entity and the business associate be HIPAA compliant.
HIPAA on transcriptionists
Transcriptionists aren’t necessarily health providers, and therefore they may not fall under the covered entities. Many freelancers offer transcription services, and therefore healthcare facilities could also contract them to transcribe patients’ data.
The data entrusted to them are sensitive, and therefore, are required by law to maintain the confidentiality of the data provided to them. Thus, the covered entity outsourcing the data to the transcriber will have to provide a written contract for them to sign. This ensures the transcriber will safeguard the information provided to them.
HIPAA on billing companies
For medical billing companies to perform their duties, they’ll need access to protected healthcare information. This means the patients’ data will be accessed by an institution other than the healthcare facility it was stored in. HIPAA always applies to bill companies to protect this information and guarantee patients’ privacy is respected.
The billing company will have access to treatment information, fees or insurance paid by the patient, and the location of the treating facility. Therefore, billing companies are required to implement administrative, physical, and technical safeguards to maintain the integrity of the protected information.
Physical safeguards include physical security systems such as alarm systems. On the other hand, administrative safeguards include training employees on the importance of data privacy. Technical safeguards could include cybersecurity efforts to protect information stored in a digital form. The billing companies are also prohibited from performing fraudulent activities.
HIPAA on medical device manufactures
There’s no defined requirement for medical device manufacturers under HIPAA, apart from that, they should help covered entities in their quest of achieving data privacy. Thus, the device manufacturers should:
- Include access control features such as passwords to the devices according to the covered entity’s rules.
- Sign a BAA with the covered entity that proved they understand and will honour HIPAA privacy policies.
- Read and understand the HIPPA guidelines on what counts as protected health information and consider how to protect it.
- Create a stable workflow that ensures data is captured and kept securely from the source to the storage.
- Perform frequent security patches to identify any software compatibility issues and perform upgrades to enhance data security.
Generally, medical device manufacturers need to understand user needs and create devices that support information protection.
Conclusion
HIPAA is a very crucial part of information privacy. Health records are valuable and hence a prime target for hackers. As a result, the information needs to be protected and only shared with the patient’s consent and knowledge. HIPAA has clear guidelines on how information needs to be protected in covered entities. However, it applies differently to business associates, as discussed in this article. Most importantly, health records need to be secured at whatever point it’s shared or stored.
