HIPAA Compliance Services isn't just for Healthcare Companies
HIPAA (Health Insurance Portability and Accountability Act of 1996) is nothing new for healthcare organizations. The legislation ensures patient data is secure and kept private due to its sensitive nature. Therefore, it’s an obvious and natural concern for the 800,000 or so organizations across the U.S. delivering healthcare services as their primary function (defined as “covered entities” under the law).
However, HIPAA rules apply to a much broader spectrum of companies, many of whom may not even realize they’re required to be HIPAA compliant. Since 2013 (after the Omnibus Rule went into effect), any company dealing with PHI (Personal Healthcare Information) is responsible for following the same rules and is subject to penalties if found to be out of compliance.
These “business associates” include law firms, accounting firms, transcription service providers, and document storage or disposal companies. Any entity that touches PHI qualifies, yet many of these organizations are unaware of their responsibilities and the risks they face by ignoring compliance issues.
All told, there are more than 2 million businesses considered “business associates” under the law, while only a fraction have taken the necessary steps to be HIPAA compliant.
The cloud isn’t protection
A common misconception among businesses that are aware HIPAA compliance applies to their organization is that utilizing cloud services provides adequate data security protection. Their thinking is that if things are in the cloud – and the cloud services provider is HIPAA compliant – then nothing is “local” so their own networks and devices don’t count.
While cloud services definitely reduce potential weak points in PHI protection, they are not by themselves fully adequate in the eyes of the law. For example, most cloud services allow for data exports, and once that data is extracted there’s nothing stopping it from falling into the wrong hands.
This export capability means environments must be secure and comply with HIPAA standards, including locking down who has access to export capabilities, protecting the local network and securing credentials to prevent unauthorized access to both the cloud service and the company’s own systems.
Bringing these issues up with management or clients may seem awkward, but ignoring the dangers is a disservice and puts everyone at risk. A potential liability of up to $1.5 million per year warrants having that conversation.
Best Medical Transcription exposed the data of 1,654 patients from Virtua Medical Group. Best Medical Transcription (since shut down as a result) was subject to a $200,000 fine as a business associate and the owner was barred from owning a business in New Jersey for life. This is on top of the $418,000 fine Virtua had to pay.
Nobody wants to pay huge fines or cause their clients to owe money as well. Plus, the reputational damage to everyone involved can have major consequences.
Want to find out more how we can help you manage HIPAA compliance and other mandated regulations? Contact us today.