HIPAA Compliance and the Risk of Sharing Protected Information

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a cornerstone of healthcare compliance regulation, but understanding its implications for your business operations can be complex.

How PHI Stewards Ensure Others Comply

As an entrusted steward of protected health information (PHI), how do you ensure that business associates—vendors, contractors or other third parties you share data with to help run your organization—comply with HIPAA before, during and after their activities?

The guidelines outlined in this article provide some basic considerations for complying with HIPAA regulations and when you can (and can’t) share PHI with business associates.

HIPAA: A Brief Background

HIPAA is a federal law that sets standards for protecting sensitive patient information. It initially applied only to healthcare providers, health plans and healthcare clearinghouses. However, with the addition of the Health Information Technology for Economic and Clinical Health (HITECH) Act, as of January 2013, HIPAA now applies to the business associates of the organizations mentioned above, such as lawyers, consultants, accountants, contractors, cloud providers, software vendors, shredding services, etc.

HIPAA established national standards to protect individuals’ medical records and PHI, setting limits and conditions on using and disclosing that information without an individual’s authorization.

PHI includes information about health care, health status or payment for health care that can be linked to a specific individual via one or more PHI identifiers, which are:

1. Names
2. Geographic subdivisions smaller than a state (zip code, county or city, street address, etc.)
3. Dates
4. Telephone numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical records numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identification, license plate, or serial numbers
13. Device identifiers
14. Web Universal Resource Numbers (URL)
15. IP addresses
16. Biometrics (fingerprints, voice prints)
17. Full-face photographic images
18. Any other unique identifying number, characteristic, or code.

HIPAA violations can result in up to ten years in prison and a fine of up to $250,000, so it’s crucial to understand the requirements.

You can find more information on HIPAA compliance via the U.S. Department of Health and Human Services (HHS).

HIPAA and Business Associates

Most healthcare providers don’t carry out their business activities and functions alone. Instead, they rely on services from various individuals and businesses—their business associates. For example, you might outsource accounting for your practice to an accountant, get advice on growing your business from a consultant or outsource claims processing to a third party.

Organizations subject to HIPAA rules can disclose protected health information to business associates if they meet certain conditions.

First, the business associate must need the information to carry out its service for the healthcare provider—not for its independent use or purposes.

Second, the covered entity must get “satisfactory assurances” that the business will use the information only for agreed-upon purposes, safeguard the information from misuse and help the covered entity comply with the HIPAA Privacy Rule. This assurance usually comes in the form of a written “business associate agreement” (BAA).

The BAA must:

• Describe the permitted uses of PHI by the business associate
• Confirm that the business associate will not disclose the PHI other than as required by the contract or by law
• Require the business associate to have safeguards in place to prevent the use or disclosure of PHI other than as outlined in the agreement

HHS provides a sample business associate agreement.

While having a business associate agreement in place is a good start, organizations shouldn’t consider this agreement a “check-the-box” compliance activity.

Instead, you should ensure that all employees with access to PHI are familiar with the HIPAA Privacy Rule and trained on when and how to disclose that information to business associates.

You’re generally not liable for a business associate’s failure to comply with HIPAA as long as:

1. You didn’t know and couldn’t have reasonably known that the business associate misused PHI, or
2. You discovered the business associate’s HIPAA violation and took action to correct the situation or terminate the relationship as appropriate.

It’s also important to note that covered healthcare organizations don’t need a business associate agreement before disclosing PHI to other healthcare providers for treatment or sending patient information to a lab. For example, you don’t need a BAA if you’re referring a patient to another specialist for treatment. But you would need a BAA if the other party is performing a function on behalf of your practice involving PHI.

Common Sense HIPAA Compliance

HIPAA compliance requires more than simply following the security and privacy rules. You (and your business associates) should also be able to prove that you’ve been proactive about preventing HIPAA violations by creating and following policies, training staff on HIPAA policies and notifying patients about your policies through a Notice of Privacy Practices (NPP).

However, the following common sense tips (adapted from materials provided by The Security Awareness Company) provide a starting point for the safeguards your organization should put in place when dealing with PHI and business associates.

• Only disclose PHI on a need-to-know basis and disclose only records or elements of PHI that are necessary for your business associate to perform their services.
• Properly store and dispose of patient information.
• Ensure employees keep smartphones, laptops and other devices in a secure location when not in their possession.
• Be mindful of risk when accessing PHI remotely. Avoid using public Wi-Fi.
• Keep anti-virus software up to date on all devices.
• Only download files or open email attachments from trusted sources. Never click on suspicious links.
• Send PHI via secure channels with end-to-end encryption.

Ensuring you, your staff, employees and business associates understand the rules and requirements of HIPAA is essential to remaining compliant and avoiding penalties. However, HIPAA is complicated, and the Office for Civil Rights regularly updates policies and procedures.

If you need industry-specific advice related to HIPAA compliance, reach out to your Windham Brannon advisor or contact Melissa Purvis. We can help you remove complexities from managing healthcare information securely and effectively.