Are YOU a HIPAA Business Associate? The Answer Could be YES for Attorneys and Accountants

HIPAA has been a key issue for health care providers and the technology firms that server them for more than 20 years. But recently, more companies are being defined as a HIPAA business associate. This means that even businesses not directly related to healthcare may now be required to comply with HIPAA regulations.

As the types of electronic data that organizations deal with has increased, HIPAA has been updated and expanded to safeguard more types of data and has come to encompass more types of businesses. As a result, HIPAA compliance is no longer just an issue for healthcare organizations. It is a concern for healthcare business associates – a wide range of other businesses that work with healthcare entities.

What is HIPAA?

HIPAA is the Health Insurance Portability and Accountability Act, a law that was passed in 1996. HIPAA contains five sections or titles that are intended to protect patient data and ensure access to healthcare. The section or title that is usually associated with HIPAA compliance is Title II which requires healthcare organization to protect the privacy of and secure electronic access to patient health data.

Since the passage of HIPAA nearly two decades ago, regulations around healthcare data security have been modified twice. In 2009, the Health Information Technology for Economic and Clinical Health or HITECH Act was passed, creating guidelines for how healthcare security data should be handled. In 2013, the HIPAA Omnibus rule brought HIPAA guidelines into compliance with HITECH.

The most significant change that came with the HIPAA Omnibus rule was an expansion of the parties that have HIPAA compliance requirements. The 2013 rule expanded HIPAA compliance responsibilities to business associates of covered entities (covered entities are healthcare organizations that were previously covered under HIPAA). The rule also increased the penalties for HIPAA violations to a maximum of $1.5 million per incident.

What does this mean for your business?

A business associate can be defined as any entity that handles personal health records or information – these can include accountants, legal professionals or consultants that work with covered healthcare entities that may have access to these types of records.

In 2016, the Department of Health and Human Services announced that it would be stepping up its HIPAA compliance efforts with random compliance checks of both covered entities and business associates, leaving many business entities wondering whether their compliance efforts would be sufficient to pass a review.

HIPAA Business Associate Compliance and Penalties

HIPAA business associates are subject to steep penalties for mishandling data security, so ensuring that your organization is in compliance with these rules is crucial. Understanding the technical and data requirements needed to ensure HIPAA compliance is a challenge for organizations that don’t specialize in security. Ensuring your data is HIPAA compliant is a major advantage of working with a managed service provider, but it’s important to ensure that your provider is up to date with these compliance requirements themselves.

HIPAA compliant managed services providers can provide the safeguards needed to protect patient data and records, including:

  • Physical security to control physical access to data centers, servers, etc.,
  • Technical security to ensure electronic access is controlled,
  • Policies and procedures to ensure HIPAA compliant data protection,
  • Systems to assist with identifying causes or sources of security breaches,
  • Network security to protect against unauthorized public access to HIPAA-protected data.

HIPAA Business Associate Data Security in Texas

HIPAA compliance is not the only data security rule with which Texas attorneys, accountants and other business associates need concern themselves. In Texas, businesses have always been required to take reasonable precautions against, and make appropriate efforts to correct unlawful use or disclosure of sensitive personal information collected or maintained by the business.

If your business works with HIPAA security data, contact Tolar Systems today to learn about how our IT managed services can help you stay compliant with Federal and state law and avoid penalties that could severely impact your business.