HIPAA (Health Insurance Portability and Accountability Act) compliance is complex, very critical issue for many businesses that we manage. For many of these businesses who outsource their IT management needs to NSK Inc, the obligation for ensuring HIPAA compliance falls on their IT managed services providers, like NSK Inc. Our clients in the healthcare industry continuously pepper us with lots of questions and concerns around staying HIPAA compliant and avoiding the costly consequences of a HIPAA violation.
Here are the three most commonly asked questions about HIPAA compliance that we get and answer with extreme confidence.
- Who’s covered under HIPAA?
Virtually every business that falls under the broad umbrella category of healthcare - from private practice therapists to small doctors’ offices to health insurance companies - has to comply with HIPAA, and that includes us, NSK Inc, as the managed services provider who manages these healthcare networks and data. Although many of these organizations think primarily about their in-office software and hardware, the truth is that HIPAA extends well beyond those boundaries. For example, if a doctor has access to corporate information or even electronic medical record systems on his or her cell phone, then that device needs to be HIPAA compliant as well. (MOBILE DEVICE MANAGEMENT).
NSK Inc understandings the differences between healthcare and other industry's standards. We understand that each subset of the Healthcare industry has unique technology requirements, from RFID, EMR and medical grade networks that need secure data transmission and a need to focus on a finite set of deliverables, to blood banks, imaging clinics, doctor’s offices, billing and administration centers and other medical facilities all needing secure data networking and advanced IT solutions. Our associates have the specialized skills and NSK Inc itself has strategically positioned itself to help our clients in the Healthcare market.
- Why the recent focus and industry-wide emphasis on HIPAA compliance?
Although the first pass point in HIPAA regulations dates back to 1996, it’s clear that there’s been a real push toward compliance more recently. One of the reasons for this is the new set of requirements that now must be met under the HITECH Act as of September 2013. Among other things, the HITECH Act requires that managed IT services providers sign a business associate agreement. By doing so, we (NSK Inc) assume the some of the liability for dealing with the sensitive data found within electronic Protected Health Information (ePHI); without having these business associate agreements in place, we would no longer be able to work on clients’ systems if they required HIPAA compliance.
According to the American Health Information Management Association (AHIMA), an average of 150 people “from nursing staff to X-ray technicians, to billing clerks” have access to a patient’s medical records during the course of a typical hospitalization. While many of these individuals have a legitimate need to see all or part of a patient’s records, no laws govern who those people are, what information they are able to see, and what they are and are not allowed to do with that information once they have access to it.
- What are the consequences of non-compliance?
As part of the ecosystem of vendors and providers that are required to maintain HIPAA compliance, we are also part of the liability chain. Violating HIPAA regulations results in fines from $1,000 to $5000 per instance on the low end of the spectrum up to $1.5 million for willful neglect (those companies who know the requirements, but violated them anyway). HIPAA compliance is not a luxury; it’s the law, and if your managed service provider or the IT Staff you work with are found to be on the wrong side of this law, these violations can get pretty pricey pretty quickly.
What does HIPPA Require?
HIPAA regulates “covered entities” that consist of healthcare providers, plans, and clearinghouses that process health data in the electronic format specified in the HIPAA statute. With the release of the HITECH-HIPAA modifications, HIPAA also now covers “business associates” or entities that contract with covered entities and that receive, use, and process protected health information (PHI).
The HIPAA Privacy Rule governs PHI, which is any “individually identifiable health information”-a broad definition including paper records. The HIPAA Security Rule is narrower, applying only to “electronic” PHI, or e-PHI.
From a bird’s eye view, the key aspects of HIPAA include:
- Privacy Program. HIPAA mandates that covered entities designate a privacy official to develop and implement policies for protecting privacy and handle questions and complaints. HIPAA also requires training of personnel.
- Limitations on Disclosure and Use. HIPAA requires that people authorize disclosure of their PHI unless an exception applies, such as a legal requirement or to report abuse, or for treatment, payment, or healthcare operations. The “minimum necessary rule” requires that only the minimum necessary PHI be accessed and used.
- Patient Rights. HIPAA provides a set of rights to patients, including a right to be given a notice about the privacy practices of a covered entity, a right to access PHI, and a right to file a complaint alleging a HIPAA violation without retaliation.
- Security Safeguards. For e-PHI, the HIPAA Security Rule provides a detailed series of administrative, physical, and technical requirements.
- State Law. HIPAA did not preempt stronger state law protections, so any more protective state law remains in effect.
The HHS’ Office for Civil Rights (OCR) is responsible for the civil enforcement of HIPAA. There are also criminal penalties for certain wrongful disclosures of PHI. However, HIPAA does not have a private right-of-action, meaning that people whose HIPAA rights are violated cannot sue for damages-though they can still sue if state law is violated. (http://library.ahima.org/)
Moving Toward Compliance
The average cost of a data breach is $3.8 million, with 94% of organizations reporting some type of data breach over the past two years. Approximately 44% of businesses believe they are HIPPA compliant, while 28% aren’t sure of the requirements themselves, let alone whether their own organization is capable of meeting them. Make sure you're not part of that 28%.
NSK inc has designed our IT managed services to provide our Healthcare clients with one-stop shopping for information on emerging products and solutions. We can remotely monitor and manage your network as well as integrate network operations to bolster the scalability, reliability and regulatory compliance posture of critical healthcare, along with managing all the devices used in your organization.
Click below for a free technology assessment.