A prominent misunderstanding among vendors serving the healthcare industry is that they are not subject to HIPAA compliance. However, vendors are, in fact, required to maintain a compliancy to HIPAA along with healthcare providers themselves. Under the 2009 American Recovery and Reinvestment Act (ARRA), business associates (IT vendors, etc.) are subject to nearly all the same liabilities, penalties and punishments associated with any breaches in patient data.
But that was three years ago…so why are we talking about it now? Recently, the Minnesota attorney general brought charges against a business associate for not maintaining HIPAA compliance. The Minnesota company at fault, business associate Accretive Health, Inc, lost an unencrypted laptop, compromising 23,500 patient records. Typically, HIPAA isn’t highly regulated and legally enforced with business associates. In fact, people often talk about whether HIPAA really has any “teeth.” However, the Minnesota litigation is the first time a business associate has actually had to face up to ARRA and HITECH’s rules.
So, what does this mean for a healthcare provider evaluating business associates? First, the risk associated with HIPAA now truly shared. Business associates, including IT solutions providers and EMR hosting providers like Claris Networks, now directly share the risk of HIPAA compliance with the healthcare provider. Secondly, those businesses your practice partners with have just as much incentive to safeguard and maintain the security of your patients’ data as the practice itself. Additionally, this action makes it just as important to choose business associates that can prove their ability to maintain privacy of your patient data.
In the next post, we will look at how you can evaluate business associates that do just that.