Even though we’ve had 15 years to address the issue, most companies still question whether they are HIPAA compliant. In fact, a survey by eFax found that more than half of companies polled are concerned about HIPAA compliance. By Tim Dubes, senior manager, Enterprise Marketing, eFax Corporate
By Tim Dubes, senior manager, Enterprise Marketing, eFax Corporate
Even though we’ve had 15 years to address the issue, most companies still question whether they are HIPAA compliant. In fact, a survey by eFax found that more than half of companies polled are concerned about HIPAA compliance.
Since its 1996 inception, HIPAA has experienced two major revisions (the Health Information Technology for Economic and Clinical Health [HITECH] Act of 2009) and HIPAA Omnibus Rule (Final Rule). These amendments were designed to clarify the standards and procedures of HIPAA compliance, but to many companies they just muddied the waters.
In addition to ambiguity, HIPAA contains many moving parts and changing security and privacy paradigms. Consider your own company’s challenge of establishing and maintaining administrative, technical, and physical security, as well as privacy technologies and processes. Now add auditing, data transport, document management, and the explosion of mobile devices used within organizations to the mix. Lastly, try to coordinate and streamline these various HIPAA aspects (which name just a few) with each vendor you consider a partner. It’s no wonder confusion about HIPAA compliance is rampant.
Business associate agreements (BAAs) were established as part of HITECH to help coordinate HIPAA security and privacy compliance between partners. A BAA is a contract between a HIPAA-covered entity and a HIPAA business associate which protects personal health information (PHI) within HIPAA guidelines. BAAs serve a solid purpose and can be effective – if implemented properly.
However, many businesses misunderstand the benefits and implementations of BAAs, which could leave them unknowingly non-compliant. Here are some considerations to explore to truly realize the benefits of and security provided by BAAs.
- Change your perception of BAAs. Historically, BAAs are considered to be the finish line but, in reality, should actually represent the starting gate. BAAs, service level agreements (SLAs), and the contract should accurately reflect the expectations and responsibilities of both parties. There is no such thing as a standard, one-size-fits-all BAA because so many aspects of conducting business jointly must be personalized. For example, you may change a setting in an administrative function and not realize that it changes the nature of the HIPAA compliance requirements for that service, making it invalid.
- Read the fine print. Prior to signing a BAA, make sure you have a discussion and understanding of your application and your vendor’s product or service to avoid misunderstandings down the road. Additionally, a vendor may offer a truly HIPAA compliant solution and support that solution with a BAA, but your use of the service may not be HIPAA compliant. The oft-misunderstood Conduit Exception provision to the Omnibus Final Ruling is an excellent example. The Conduit Exception applies to vendors – either off-line or on-line – that provide a service that acts as a transport to PHI but does not necessarily access or store the information. In some cases, the BAA is crystal clear: KeepItSafe, for example, is a company that provides data storage and encryption so the company is obviously an excellent BAA candidate. For example, consider on-line faxing without an online archival, which is considered the Conduit Exception. Yet your users may print out the electronic faxes they receive on a shared network printer that’s located in a non-secure area – a potential violation. To ensure compliance, devote proper attention to overall document transmission solutions like secure access to multi-function printers (MFPs), connectivity to electronic medical records (EMR) systems, and location and orientation or monitors in public workspaces like waiting rooms.
- Search for vendors with similar compliance structures. HIPAA requirements are not transferable; while your vendor’s status is important, your organization should implement its own comprehensive HIPAA compliance program. Once you’ve established that your HIPAA procedures are compliant, select vendors that understand your framework and can make recommendations on the best application of their technologies within your organization.
- Trust but verify. With so much ambiguity within HIPAA, it’s easy to experience a disconnect with vendors’ interpretation of compliance. Vendor selection should be guided by established protocols in your overall HIPAA compliance program. When entering into a relationship with a vendor, it’s like the old adage says: trust, but verify. Even if a vendor willingly signs a BAA, perform due diligence to ensure its product or service is a match for your organization.
- Regularly monitor, update and enforce. While policies and procedures are key to any HIPAA compliance program, these elements are nothing without rigorous monitoring and ongoing enforcement. Your organization should always be on the lookout for security breaches, both technological and procedural, to ensure that PHI is secure. As additional reinforcement, consider conducting routine training sessions with employees regarding policies and procedures covering all access and use of PHI.
When it comes to HIPAA, you’ve put too much time and effort into your technologies and procedures to have one minor change (like an admin or security setting) to make your system non-compliant. Conduct these BAA best practices to ensure your data and document management processes are compliant.
About the author
Tim Dubes is senior manager, Enterprise Marketing, with eFax Corporate, a division of j2 Global, Inc., a global provider of business cloud and digital media services. eFax Corporate helps thousands of companies in highly-regulated industries – including healthcare – transmit and manage sensitive documents efficiently and securely.
