The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996 and includes provisions that require that an individual’s personal health information remain secure and confidential. The 1996 law was reinforced by the passage of the HITECH Act in 2006, which addressed the risks created by the use of electronic medical records. As healthcare organizations keep moving to electronic record keeping, the threats to data security become greater. In addition, the 2006 law significantly increased the fines and penalties for HIPAA violations.
HIPAA acts to regulate and secure what is known as Protected Health Information (PHI). With the passage of the HITECH Act, PHI now also includes electronically stored and maintained PHI, known simply as ePHI. PHI and ePHI are any data, or combination thereof, that can be used to identify an individual. It doesn’t take much for information to qualify as PHI. Just a few examples of what constitutes PHI: a driver’s license number, license plate numbers, photos, names of relatives, identified test results, SSN, medical ID, age, voicemail, URLs, telephone numbers, email and postal addresses, and medical images. In other words, mostly everything collected by a healthcare organization falls under the protections of HIPAA. More importantly, any outside organizations that provide services to health-related organizations are also in “possession” of PHI. As a result, any organization that comes into contact with PHI, matter how tangentially, is covered by HIPAA. Such organizations are responsible for maintaining PHI security, and subject to fines and penalties if PHI is breached.
Risk Assessments are Required for Business Associates
Adhering to HIPAA security regulations is not just about putting together a set of guidelines for handling PHI and keeping it secure. HIPAA also requires that an organization conduct a thorough and complete risk assessment to determine what actions need to be taken to keep its data secure. And it isn’t just healthcare providers and medical organizations that are touched by this risk assessment requirement.
The reach of the HIPAA risk assessment requirement was expanded and now covers almost any entity that touches PHI. In HIPAA jargon, both Covered Entities and Business Associates are now required to conduct a risk assessment. Covered Entities (CE) were the focus of the original 1996 law. These are entities that in the normal conduct of business, create, maintain, directly access, and/or transmit PHI and ePHI. Examples of these entities are healthcare providers, clearinghouses, insurance plans, and employers who self-insure. Since then, updates to the law have expanded its regulatory coverage area to include Business Associates (BA). BAs are those entities that come into contact with PHI through that entity’s association with a CE.
This expansion to BAs consequently pulls in a wide swath of possible organizations. Examples could be law firms and accounting firms that provide service to a CE. Other examples might include IT contractors, managed service providers, billing firms, data storage centers, video and audio conferencing services, and even email servers. No matter how oblique their contact with PHI, even if it is just in the aggregate, BAs are required, under the HITECH Act to conduct a HIPAA risk assessment, and are also subject to penalties.
A HIPAA risk assessment is a complex and involved process, even for a BA with minimal data contact. With the dominance of digitally stored, maintained and transmitted data, this risk assessment should only be handled by a thoroughly experienced data professional. Organizations that wish to avoid penalties as a result of an audit should contact a professional service provider with experience in the field of healthcare data security and the specifics of a HIPAA risk assessment