The Health Insurance Portability and Accountability Act (HIPAA) is a complex law, to put it mildly. It contains no shortage of tricky nuances that any business dealing with medical patients’ personal health information (PHI) must understand and adhere to in order to remain in legal compliance (and thus avoid potentially devastating enforcement actions). Unfortunately, these same businesses often struggle to gain a firm grasp on just how precisely HIPAA requires them to behave in all phases of their operations. Because ignorance of the law is no excuse or protection, many of these businesses contract technology solution providers, which they entrust to implement and maintain HIPAA-compliant practices. However, in what amounts to be a Catch-22 in the HIPAA law, any HIPAA-covered entity is actually required to ensure that their technology providers are HIPAA compliant as well, even though they may — and often do — rely on these providers for the totality of their understanding of HIPAA in the first place.
Under HIPAA regulations, any “business associate” — defined as someone who has or has had access to the patient health data of a HIPAA Covered Entity — must be under a business associate agreement (BAA). Under this BAA, the business associate needs to follow the medical organization’s requirements for patient data security. That is to say, the covered entity (whether a hospital, medical practice, insurance provider, etc.) must make sure their business associates are HIPAA-compliant — specifically, the provisions of HIPAA’s Security Rule which require covered entities and their business associates to implement appropriate technology measures (including encryption) to secure PHI.
Please log in or register below to read the full article.