Health care technology has put more employers in contact with their employees’ private health information, and an update to federal privacy and security regulations concerning those records goes into effect Sept. 23. As a result, many firms will soon be treated with the same stringency as a hospital when it comes to maintaining health data security.
Meanwhile, the web of businesses that come into contact with customers’ or employees’ health information is growing larger; including but not limited to software developers, network services providers, data storage firms, personal injury lawyers, maintenance and custodial companies and other service providers.
Owners of those any other small firms that come into contact with health information should take note of the changing regulations, which apply to the Health Insurance Portability and Accountability Act, or HIPAA, and the Health Information Technology for Economic and Clinical Health Act, or HITECH.
laws define the types of organizations that are most likely to create or store health information, and call them “covered entities,” which most often refer to hospitals, physicians, health plans and other health information clearinghouses. Starting Monday, the regulations will be expanded to include contractors that do business with these covered entities and have access to their electronic protected health information.
Since the inception of HIPAA, companies doing business with hospitals or health insurers have had to comply with privacy and security provisions for protected health information in all forms. In the past, these contractors that had access to protected health information were typically required to sign “business associate agreements,” which were a type of non-disclosure agreement.
However, the updated rules under HIPAA and HITECH now require business associates with access to protected health information to fully comply with HIPAA and HITECH on their own and implement the same checks and safeguards to prevent privacy and security breaches.
Further, subcontractors of these third parties are now also considered “business associates” for purposes of HIPAA/HITECH compliance, meaning that companies must look not only to their direct contractors, but to the subcontractors of those entities to ensure that they are HIPAA/HITECH compliant as well.
One nuance that has flown under the radar is that the HIPAA and HITECH privacy and security rules also apply to companies that self-insure all or a portion of their employee health insurance coverage and collect protected health information from their employees. These types of companies are generally considered to be “health plans” under HIPAA and, as a result, must comply with HIPAA and HITECH.
This typically affects larger companies that can afford to self-insure all or a portion of their employee health insurance coverage, though some small employers are starting to seek this type of plan.
Costly violations can stem from mistakes that are seemingly easy to make. Affinity Health Plan, a New York managed care company, recently settled for $1.2 million in fines regarding claims that the company forgot to clear a hard drive containing PHI that was attached to a copy machine being removed from their administrative offices.
So what should small business owners do to ensure they meet HIPAA guidelines? Start with these steps.
1. Complete a risk assessment. Business owners should work with experts to identify the parts of the law that apply to their company and create a compliance to-do list.
2. Update company policies. An update to internal policies should comply in full with the requirements of HIPAA and HITECH. Small businesses may come across template policy language for purchase, but the use of template policies that are not tailored to the specific company and its operating environment is not recommended.
The preparation of specifically tailored policies is essential to ensure the policy is meaningful and will be adhered to by employees, which are keys for demonstrating compliance.
3. Be ready for enforcement. Regulators are likely to focus first on larger health care players, and those entities will likely require their contractors to demonstrate full compliance with the new rules.
But, as the Affinity Health Plan case illustrates, many different types of entities are at risk for enforcement. It is also worth considering that If HIPAA and HITECH enforcement tracks patterns of other legislation, whistleblowing by disgruntled former employees is a potential source of notification to regulators of non-compliance
4. Conduct yearly checkups of technology systems and policies. Once in place, annual maintenance is likely to be much less intensive.
Michael Stovsky is Chair of the Innovations, Information Technology & Intellectual Property (3iP) Practice Group at the Cleveland office of international business law firm Benesch.