Who Has to Comply With HIPAA? HIPAA Business Associate Best Practices

We’ve all no doubt heard of the term “HIPAA” before. HIPAA refers to the Health Insurance Portability and Accountability Act signed into federal law by President Bill Clinton on August 21st, 1996. 

Unless you work in health care, you probably never paid too much attention to HIPAA. I mean, after all, only healthcare organizations have to worry about complying with HIPAA, right?

Actually, no. There are many other types of organizations that have to comply with HIPAA. In this article, we are going to determine who needs to be meeting HIPAA Privacy and Security Rules and some best practices to get you started.

Let’s start by understanding which organizations are responsible for understanding and complying with HIPAA standards.

Who Does HIPAA Apply To?

Two categories must comply with HIPPA Rules. These are covered entities and business associates. Let’s define what each of these two categories means.

HIPAA Covered Entities

The covered entity category is broken down into three subcategories: health care providers, health plans, and health care clearinghouses.

A health care provider is pretty self-explanatory- it’s any individual or organization that provides some form of medical assistance. According to the U.S. Department of Health & Human Services, this includes doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies. 

The next subcategory is health plans. This section includes health insurance companies, HMOs, company health plans, and government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs.

Last but not least, the third section found beneath the covered entities umbrella is health care clearinghouses. If you’re not quite sure what that means, you’re not alone.

A health care clearinghouse is a “public or private entity, including billing services, repricing companies, community health management information systems or community health information systems, and ‘value-added’ networks and switches, that does either of the following functions:

  1. Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data elements or a standard transaction.
  2. Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.”

That’s one long and confusing definition. Basically, it’s any third-party provider that deals with PHI, or protected health information. PHI includes demographic information, medical histories, test and laboratory results, mental health conditions, insurance information, and other data that a health care professional collects to identify an individual. 

Examples of medical clearinghouses are patient portals that users log into online or billing companies that hospitals hire.

So, those are the three subcategories that fall under covered entities: health care providers, health plans, and health care clearinghouses.

HIPAA Business Associates

Next, the second main category covered under HIPAA is business associates. Many health care organizations don’t carry out all of their activities and functions alone. From legal duties to accounting, there are a variety of services that providers rely on to run their operations smoothly. And according to HIPAA, these business associates are just as responsible as health care providers for complying with specific HIPAA provisions- mainly the Security Rule. 

Under the HIPAA Privacy Rule, covered entities can “disclose protected health information to business associates if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.”

A couple of things to note: first, the “satisfactory assurances” that covered entities need to obtain from business associates must be in writing. This can be in the form of a contract or other agreement, but it must state that the HIPAA business associate will not use any PHI for purposes outside of the intended use. Second, a health care provider, health plan, or health care clearinghouses can be a business associate to another covered entity. 

A few of the services offered by business associates include:

  • Legal
  • Actuarial
  • Accounting
  • Consulting
  • Data Aggregation
  • Management
  • Administrative
  • Accreditation
  • Financial

Some common examples of HIPAA business associates are attorneys, CPA firms, and consultants. 

So, even if you don’t work in health care, HIPAA may still apply to your organization. And when this is the case, your company is responsible for ensuring Security, Privacy, and Breach Notification Rules are met– with a possible penalty of up to $50,000 per violation. 

HIPAA Business Associate Privacy and Security Best Practices

Here are a few basic protocols a business associate can implement to begin taking actions to become HIPAA compliant.

  1. Limit User Access: Make sure user accounts lockout after a certain number of unsuccessful login attempts. 
  2. Setup Multi-Factor Authentication: This will give your organization an additional layer of protection beyond just a username and password.
  3. Conduct an External Penetration Test: Take a look at your network from an external perspective to see what a potential cyber criminal might see and identify and weak spots.
  4. Introduce a Next-Generation Firewall: This type of firewall will give your network additional security measures such as intrusion prevention, dynamic blacklisting, content filtering, and anti-virus/anti-botnet software. 
  5. Use Encryption: Encryption is a necessary element of any secure system. Make sure you are encrypting any electronically transmitted PHI.
  6. Implement Physical Access Control: Securing digital information is essential, but don’t forget to secure your physical premises. Use access controls like keycards or scanners and make sure guests always have guest badges.
  7. Manage and Review Account Configuration: A significant piece of the HIPAA puzzle is ensuring that users only have the information essential to perform their intended service. Make sure you set up your account configuration so that users don’t receive more information than they need. 
  8. Train Your Users: This may be one of the most critical security measures you can put in place in your organization. All employees must understand cybersecurity standards and how to identify a potential threat or scam.

Begin Your HIPAA Compliance Journey Today

So, there you have it. HIPAA goes beyond just the health care industry. And if HIPAA applies to you as a business associate, you need to be compliant. Start with the steps laid out above, but remember to look internally at your organization from top to bottom and determine other security measures you may need to put in place. 

Once you have selected the safeguards you want to implement, it’s a good idea to have a third-party come in and assess your system. A third-party will be able to look at your system from a different perspective and confirm you aren’t missing anything.

Don’t forget to continually monitor your systems and safeguards, as new threats are always popping up

If you are a HIPAA business associate in need of an assessment, contact us today. We can provide you with a free, no-obligation cybersecurity audit to help you determine any weaknesses in your system.

To learn more about protecting you and your business from cybersecurity threats, check out our Ultimate Guide To Cybersecurity!

The Ultimate Guide To Cybersecurity

Related Insights