Fun fact: HIPAA, the 1996 healthcare legislation that covers the security and privacy provisions for your medical information, is a lot more intensive than you may have believed. Do you know if your business is a covered entity or a business associate? Not knowing these answers could mean big fines.
HIPAA governs security for the obvious: hospitals, private practices, and medical providers. But it also covers the more unexpected: health insurance brokers, your HR department, and even your IT team. Since we began working on HIPAA compliance with clients in early 2017, we’ve found many gaps where business owners didn’t know they were required to be compliant.
If you’re sharing personal client information with a HIPAA compliant entity, even if your business has nothing to do with healthcare, you’re a business associate and you must also be HIPAA compliant! Compliance is also easy to breach; from one unlocked laptop left unattended while its user is at lunch, to not regularly changing your passwords, HIPAA can get really complicated really fast.
Here's the actual rule, straight from the HHS department: “The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associates that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity.” Do you know if your business associates are HIPAA complaint?
Don’t get too far into 2018 without double checking your security requirements. Remember, protected health information (AKA PHI & ePHI for its electronic cousin) covers any potentially identifiable information from phone numbers to official diagnoses and everything in between.