HIPAA-compliance is a vital practice all businesses must adhere to when handling Protected
Health Information (PHI) and Electronic Patient Health Information (ePHI). Ever since the final
HIPAA omnibus ruling came into effect in March 2013, the Health and Human Services Office
for Civil Rights began cracking down on non-compliant Covered Entities and Business Associates.
Even with these new changes in effect, many Covered Entities and Business Associates continue
to conduct their daily communications in an insecure manner and, whether aware or not, in a
method that is in clear violation of HIPAA’s standards.
Many are well aware of the consequences and have taken the necessary steps to become
compliant. For those who have not, or are not sure if they are compliant, we have outlined the
steps you can take to rectify this, as well as list the ramifications you may be subject to if found
in non-compliance.
The intention of this post is not to scold or make an example of anyone, but to educate
those who may still be in danger of being found in direct violation of HIPAA’s standards.
An important first step to take to becoming HIPAA-compliant is to have a Business Associate
Agreement (BAA) in place. You must share the BAA with all vendors such as answering services
, shredding companies and anyone else who might come into contact with PHI. Once
these agreements are signed and all parties enter into the contract, it ensures that the Business
Associates meet HIPAA standards by protecting PHI. If they do not, they are liable and subject
to civil and criminal penalties for actions not authorized in your BAA.
In regards to having a BAA in place to further protect your PHI, it would also be beneficial to
your business or practice to consult with an attorney who has had experience with medical and
HIPAA regulations. When it comes to being compliant, it’s not necessarily a bad thing to be over
prepared.
One of the fastest growing concerns with the protection of PHI/ePHI is the use of SMS, also
known as “text messaging”. While convenient, it is commonly mistaken as a safe and secure
method of sharing PHI/ePHI.
