Healthcare as a profession is very complex no matter how you view it. Either you are a doctor, psychologist, medical practice, clinic, laboratory or even a medical billing company it is very challenging enough to understand seemingly the never ending list of HIPAA rules and regulations, recommendations and responsibilities without the added burden, especially when in terms of IT which may not be your line of specialization .
Basic things to be known when it comes to the issues of HIPAA and the IT Support Vendor
Business Associate Agreements (BAA) and Business Associates. It is very essential to have a BAA in place with any vendor or contractor that has access to ePHI (electronic protected health information) and this also includes your IT vendor as they will have access to ePHI often. One of the most commonly disregarded entity which can have an overwhelming consequence for your practice during the HIPAA audit is knowing that you have disregarded BAA in place with your IT vendor or you are using a non HIPAA compliant IT company. You need to verify if you are using an IT Support Company that works with HIPAA covered entities and strongly follows HIPAA rules and regulation. By having the BAA in place you are ensuring that the vendor you use must acknowledge and abide by regulations of HIPAA.
WHAT HAPPENS IF I DON'T HAVE A BAA IN PLACE WITH MY IT SUPPORT COMPANY?
Some of the largest fines to date have been linked to the failure to have a BAA in place with IT support or companies. Earlier this year a Hospital in Chicago face a $5.5-million-dollar penalty and one of the 3 main reasons for this penalty was the failure to BAA in place with just 2 of their technology vendors who had access to ePHI.
WHERE DO I GET A BAA?
The government makes a sample of BAA's available to you on their website or you could also contact us and we will supply you with a free BAA document. Fortunately, compliance and regulations have become more transparent over the past years. However, there are still some areas that offices are being penalized for violating HIPAA regulations. It is not necessarily disregarded, at times, it is simply lack of required knowledge and understanding. Yet when it comes to the cases of Federal Law this is a black and white issue that comprises of significant penalties (such as charges for criminal negligence and fines $100,000 upward). But there is good news. Assessing the completeness of your IT for HIPAA compliance does not have to be troubling. Every IT consultant will be very happy to do this for you. Better still, having a partnership agreement with a Managed Service Provider (MSP) like Advanced Computer Consulting LLC does not only ensures that you are HIPAA compliant, but it also keeps you compliant after a HIPAA assessment or audit is complete.
HOWEVER, IF YOUR BUSINESS HAS NOT MADE THE MOVE OF CONTRACTING YOUR IT TO AN MSP, HERE ARE THREE HIPAA RULES AND REGULATIONS YOU SHOULD KNOW:
ALL OF YOUR INFORMATION MUST BE HIPAA COMPLIANT (NOT JUST EHRS).
Does your office contain identifiable ePHI data sets on-site individually? Do you have information like billing records, appointment information and test results at your business site? If yes, this information must be kept on HIPAA compliant devices, as well as storing them on well secured servers. A lot of medical practices are making use of cloud-based storage. For sure, it is efficient to have EHRs stored on the cloud. But be certain that the rest of your ePHI data is strongly protected as well. This simple mistake results to some major fines.
YOUR PROTECTED HEALTH INFORMATION NOTICE MUST ALSO BE AVAILABLE ONLINE.
Hopefully, most practices or businesses now have a website. If you are one of those who does not have one, you may skip ahead. To those practices or businesses who have a website, please have it in mind that HIPAA rules states that your website should to contain an updated copy of the protected health information notice every time and this notice must be easily accessible to patients. If the website does not have an up-to-date copy of this notice currently, it is strongly recommended that it should be made the highest priority. It is very easy to put it off and can be a stress if there is a non-IT professional at your office, but the penalty for non-HIPAA compliance is very costly.
HEALTHCARE BUSINESS ASSOCIATES MUST ALSO BE HIPAA-COMPLIANT.
Do you think that this isn't going to be relevant to your business? In opposing the belief of some businesses, it’s not just practices, healthcare or health plan organizations that are required to be HIPAA compliant. Every other business that has either electronic or otherwise access, to protected health information is strictly required by law to be HIPAA-compliant. This also includes every accounting or law firms you are working with that access your data electronically. Just take this simple suggestion: ask your associates if they are HIPAA compliant. • If they are HIPAA compliant, ask them about the last time that they assessed the situation. • If they are not HIPAA compliant, revoke their file access immediately. Do not grant them the access until they take a corrective action, because both of you will be involved in the penalty.
NOT 100% SURE IF YOU’RE HIPAA-COMPLIANT?
Advanced Computer Consulting LLC employs professionals who are trained and familiar with HIPAA regulations and requirements. Advanced Computer Consulting LLC has experts who can run all the necessary risk analysis and assist in addressing any zone of your technology will leave you vulnerable to any form of criminal charges or heavy fines. Feel free to contact us today, we will give you the best IT support without any extra stress.