[{"innerBlocks":[],"name":"core\/freeform","postId":125923,"blockType":{"name":"core\/freeform","keywords":[],"attributes":{"content":{"type":"string","source":"raw"},"lock":{"type":"object"}},"providesContext":[],"usesContext":[],"selectors":[],"supports":{"className":false,"customClassName":false,"reusable":false},"styles":[],"variations":[],"apiVersion":3,"title":"Classic","description":"Use the classic WordPress editor.","category":"text"},"originalContent":"If you run a small healthcare organization, you probably aren\u2019t itching to take a deep dive into the nuanced complexities of your legal responsibilities under HIPAA or the details of how you must safeguard patients\u2019 personal health information from a data and technology perspective.

Given the choice, you\u2019d probably prefer to focus attention solely on your business\u2014that\u2019s why you hire IT solution providers to fulfill technology needs and to understand HIPAA on your behalf.

However, HIPAA happens to include something of an ironic Catch-22 in that the regulation does demand that you to be aware of at least one aspect of the law and be responsible for meeting it on your own.

The issue is this: the law requires that a HIPAA Covered Entity (any provider, health plan or clearinghouse) must make sure that any \u201cbusiness associate\u201d (including IT vendors) that has the ability to access PHI must itself be fully HIPAA compliant. The legal burden to ensure that your IT vendor is a responsible caretaker of sensitive data is on you, even though you hire the IT company to both handle that responsibility and provide the expertise to know about burdens such as this in the first place.

From a regulatory perspective, this requirement makes complete sense. It would be a huge and dangerous loophole if passing PHI to a third party placed it outside of HIPAA\u2019s safeguards, and who better than the company enlisting any third parties to continue to be responsible for its own PHI?

It\u2019s only as a practical matter for small healthcare organizations relying on vendors for IT and related compliance expertise that the requirement becomes somewhat absurd. Unfortunately, with HIPAA violations carrying penalties averaging in the five-figures\u2014not to mention the often-costlier reputational damage done when an organization is publicly cited for unsafe data handling practices\u2014most small healthcare providers can\u2019t afford to be out of compliance.

To navigate this Catch-22, here\u2019s what you need to do. You must be aware of HIPAA\u2019s business associate standards, and you must carefully vet your managed service providers (MSPs) to ensure that they fully understand (and comply with) this aspect of HIPAA.

You also need to understand one other HIPAA requirement\u2014a covered entity\u2019s business associates must sign and operate under a business associate agreement (BAA), which is legal document that specifies the conditions under which a business associate is allowed to interact with PHI. The BAA can include details such as the exact tools\u2014data encryption, device access controls and more\u2014that an IT vendor delivers to achieve effective and HIPAA-compliant data protections. A BAA must be executed with vendors before any PHI is shared.

Therefore, when it comes to the responsibility of vetting IT companies, one valuable technique is to enlist those that proactively delineate your responsibilities under HIPAA, and offer a robust BAA as part of their services to you.

In reviewing and vetting existing IT suppliers, it\u2019s essential to make sure not only that any MSP your organization works with is HIPAA compliant, but also that they have a thorough knowledge of both their responsibilities as a business associate and their requirements under HIPAA\u2019s BAA criteria. Any current MSP should have effective procedures, processes, and services in place to ensure that you, as their covered-entity client, are compliant as well.

It\u2019s common for covered entities to work with service providers, such as Compliancy Group, that explicitly provide HIPAA risk assessment, compliance coaching, employee training, audit support, and will even verify compliance to help organizations in the event of a HIPAA audit. Such providers simplify compliance on your behalf, helping to demonstrate that your contracts with current and future IT providers meet HIPAA regulatory standards.

By understanding the HIPAA requirements that your small healthcare organization has a direct responsibility to meet, you can make sure that your IT vendors will handle the rest when it comes to establishing fully compliant practices.","saveContent":"If you run a small healthcare organization, you probably aren\u2019t itching to take a deep dive into the nuanced complexities of your legal responsibilities under HIPAA or the details of how you must safeguard patients\u2019 personal health information from a data and technology perspective.

Given the choice, you\u2019d probably prefer to focus attention solely on your business\u2014that\u2019s why you hire IT solution providers to fulfill technology needs and to understand HIPAA on your behalf.

However, HIPAA happens to include something of an ironic Catch-22 in that the regulation does demand that you to be aware of at least one aspect of the law and be responsible for meeting it on your own.

The issue is this: the law requires that a HIPAA Covered Entity (any provider, health plan or clearinghouse) must make sure that any \u201cbusiness associate\u201d (including IT vendors) that has the ability to access PHI must itself be fully HIPAA compliant. The legal burden to ensure that your IT vendor is a responsible caretaker of sensitive data is on you, even though you hire the IT company to both handle that responsibility and provide the expertise to know about burdens such as this in the first place.

From a regulatory perspective, this requirement makes complete sense. It would be a huge and dangerous loophole if passing PHI to a third party placed it outside of HIPAA\u2019s safeguards, and who better than the company enlisting any third parties to continue to be responsible for its own PHI?

It\u2019s only as a practical matter for small healthcare organizations relying on vendors for IT and related compliance expertise that the requirement becomes somewhat absurd. Unfortunately, with HIPAA violations carrying penalties averaging in the five-figures\u2014not to mention the often-costlier reputational damage done when an organization is publicly cited for unsafe data handling practices\u2014most small healthcare providers can\u2019t afford to be out of compliance.

To navigate this Catch-22, here\u2019s what you need to do. You must be aware of HIPAA\u2019s business associate standards, and you must carefully vet your managed service providers (MSPs) to ensure that they fully understand (and comply with) this aspect of HIPAA.

You also need to understand one other HIPAA requirement\u2014a covered entity\u2019s business associates must sign and operate under a business associate agreement (BAA), which is legal document that specifies the conditions under which a business associate is allowed to interact with PHI. The BAA can include details such as the exact tools\u2014data encryption, device access controls and more\u2014that an IT vendor delivers to achieve effective and HIPAA-compliant data protections. A BAA must be executed with vendors before any PHI is shared.

Therefore, when it comes to the responsibility of vetting IT companies, one valuable technique is to enlist those that proactively delineate your responsibilities under HIPAA, and offer a robust BAA as part of their services to you.

In reviewing and vetting existing IT suppliers, it\u2019s essential to make sure not only that any MSP your organization works with is HIPAA compliant, but also that they have a thorough knowledge of both their responsibilities as a business associate and their requirements under HIPAA\u2019s BAA criteria. Any current MSP should have effective procedures, processes, and services in place to ensure that you, as their covered-entity client, are compliant as well.

It\u2019s common for covered entities to work with service providers, such as Compliancy Group, that explicitly provide HIPAA risk assessment, compliance coaching, employee training, audit support, and will even verify compliance to help organizations in the event of a HIPAA audit. Such providers simplify compliance on your behalf, helping to demonstrate that your contracts with current and future IT providers meet HIPAA regulatory standards.

By understanding the HIPAA requirements that your small healthcare organization has a direct responsibility to meet, you can make sure that your IT vendors will handle the rest when it comes to establishing fully compliant practices.","order":0,"get_parent":{},"attributes":[],"attributesType":{"content":{"type":"string","source":"raw"},"lock":{"type":"object"}},"dynamicContent":""}]

Why HIPAA requirements extend far beyond providers’ walls

More for you