Hospitals, clinics, long-term care facilities, and your PPO must abide by HIPAA’s Privacy and Security Rules. However, many people overlook the law firms, consultants, and, yes, even medical device manufacturers that must remain in compliance or be subjected to stiff penalties.
To see how and why your organization may fall under HIPAA, let’s review what exactly HIPAA is:
A Refresher on HIPAA
Signed into law in 1996, HIPAA compelled the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. As a result, HHS published the Privacy Rule and the Security Rule.
The rules outline how organizations must store and safeguard Protected Health Information (PHI). Before HIPAA, no generally accepted set of standards existed regarding health information, and with the rise of technology in the industry, existing laws and regulations were inadequate to address the types of information and transmission methods available.
Organizations Subject to HIPAA
As defined by HHS, HIPAA applies to two classes of organizations:
- Covered Entities: healthcare providers that transmit information in an electronic form; health plans, such as insurance companies, HMOs, and government programs that pay for care; and healthcare clearinghouses, such as a coding service or revenue cycle management partner.
- Business Associates: partners utilized by Covered Entities, such as claims processors, CPA and law firms, quality assurance consultants, and pharmacy benefits managers.
Medical device companies commonly fall into the Business Associates category. An example would be a medical device manufacturer working with a physician or researcher who transmits PHI to the manufacturer for data analysis, continuous improvement or corrective action/preventive action. Receiving such information necessitates a system capable of storing and safeguarding PHI.
How to Remain in Compliance
If your organization falls into the Business Associates category, it’s important to have two things in place: a legal agreement with the Covered Entity with whom you are working and the tools necessary to begin storing and protecting PHI.
A Business Associate Agreement (BAA) ensures in writing that the Business Associate understands and will abide by the Privacy and Security Rules set forth by HHS. The agreement lays out, among other things, how PHI may be used, disclosed, and protected. The Office for Civil Rights (OCR), the enforcing entity within HHS, offers sample language to create a legally enforceable BAA.
Because rules and regulations can change quickly, I would recommend using a document and contract management tool to ensure contracts are developed, eSigned, and stored in an organized manner. BAAs are not the time to count on paper contracts and a filing cabinet, or even an off-the-shelf cloud storage solution.
You should also ensure your organization has a HIPAA compliant workflow in place with properly secured data capture tools. In the earlier example, you should check that the researcher is transmitting their findings and feedback to your organization in a compliant manner. While some physicians use HIPAA compliant email systems, in my experience, most manufacturers do not.
Unless both parties are using an end-to-end HIPAA compliant system, there’s a weak link in the compliance chain. Covered Entities and Business Associates alike should be employing a method of data capture with the required storage encryption and access controls required by HIPAA.
Avoid HIPAA Violations
If HIPAA violations seem like a rare edge case, think again. In March 2019, more than a quarter-million patients’ personal and medical information was exposed by one manufacturer alone.
How did this happen? The manufacturer’s email archiving partner merged two servers, thereby exposing patients’ PHI to the potential of unauthorized access.
HIPAA compliance is a must-have, especially considering violations for noncompliance have resulted in employment termination, fines into the millions of dollars, and even prison sentences. To protect your company’s interests, ensure you’re communicating regularly with your development, quality assurance, and regulatory affairs teams to find out if your organization is, or may become, a Business Associate under HIPAA and if you’re ready to implement the proper workflows for handling PHI.
Chris Byers is the CEO of Formstack, a software company with a mission to transform the way people collect data and put it to work. He is a seasoned leader with over a decade of experience overseeing remote teams. At Formstack, his goal is to turn people into great leaders, and he's passionate about helping problem solvers see more value in the work they do every day.