Tech Companies Responsible for HIPAA Compliance? You Bet.
October 8, 2018
It is an exciting time for technology businesses considering or already providing services in the health care space. While technology is driving the growth of big data in health care, the U.S. Department of Health and Human Services Office of Civil Rights (OCR) is taking steps to ensure the security and privacy of patient medical records, also known as protected health information (PHI).
HIPAA is the federal law that outlines how health care entities must protect this information; however, compliance does not stop with the health care provider. Businesses that provide services directly or indirectly (as subcontractors) to health care entities are subject to a set of complex rules governing privacy, security, and data breaches, even where they are merely providing cloud or other IT services. These health care vendors are known as “business associates” as defined by HIPAA. For these companies, the challenge of navigating the rules, not to mention a new regulatory vocabulary, can be daunting.Recently, one example of a business associate’s failure to implement policies and procedures resulted in a settlement with the OCR for $650,000 after the theft of an unencrypted iPhone compromised PHI of hundreds of nursing home residents.In addition, health care providers are likely to be more proactive about ensuring their business associates are HIPAA compliant in light of the current enforcement environment.In response to these trends, Shuttleworth & Ingersoll has packaged a solution of legal services called the HIPAA Business Associate Toolkit.“Taking on a health care provider as a client for the first time can be daunting if you’re not already familiar with the procedures you need to have in place,” said Bill Daly, attorney with Shuttleworth & Ingersoll. “The priority of all service providers that work with medical data should be privacy and security. There’s no room for mistakes, no matter the size of your company.”Jason Sytsma, attorney with Shuttleworth & Ingersoll, is hopeful this will simplify the process for his clients. “This toolkit will give clients everything they need to protect their business and ensure HIPAA compliance for a flat fee.”Taking a single business associate client from zero to complete HIPAA compliance is a significant undertaking and a significant investment for that one client. The concept of the toolkit was born of wanting to provide this vital and practical solution to multiple clients at a much lower individual cost, which will also include a couple of hours to further tailor the solution to the individual company.For more information about the HIPAA Business Associate Toolkit, please reach out to our office. I would be happy to discuss if these packaged services are something your business could take advantage of.