By Susan J. Campbell, TMCnet Contributing Editor
If you work in healthcare, you know the restrictions and provisions associated with HIPAA can be stringent. If you work outside of healthcare, you may not worry too much about these guidelines. But, what happens if you’re working with a company that touches healthcare records and they fail compliance checks? Could your business be liable?
This is not often a question considered by organizations looking at a business phone system, but with the changes to the HIPAA guidelines as of late, it may be necessary. The biggest challenge is that most of those companies that are violating HIPAA regulations don’t even know it’s a problem. Worse, these companies – like yours – could face compliance problems because the companies they work with have compliance problems. This is especially true if the company offers business phone systems.
HIPAA is a hot topic as of late as privacy concerns among citizens are on high alert given the recent NSA revelations. Still, new regulations went into effect on September 23, 2013 to strengthen HIPAA and HITECH (Health Information Technology for Economic and Clinical Health). These changes extend beyond the medical field to include any business involved in more indirect areas.
According to the Department of Health and Human Services, as featured in a recent Business2Community post, the list of companies now affected “expand many of the requirements to business associates that receive protected health information, such as contractors and subcontractors. Business associates” now include businesses that “create, receive, maintain or transmit health information for other businesses covered by HIPAA, the HITECH Act and their regulations.”
If a business phone system is secured from a firm that stores physical health information in voice mails or recorded calls, or other companies that offer general IT and other services to medical companies, compliance has to be a priority. The compliance of one company will depend upon making sure vendors comply as well, especially if they fall into the business associate category.
Fortunately, Business2Community offers some great insight into how you as the business owner can ensure your vendors are complying as necessary to avoid unnecessary risk. If you’re not sure it’s worth your time, consider that fines can reach up to $1.5 million per year for extensive violations. So take the time to do the backend work needed to protect yourself and the company you’ve built by asking these important questions.
Are you a HIPAA-compliant business associate? A number of companies are not, and simply signing a contract could put you at risk. A business phone system provider may not know they need to adhere to the guidelines, so ask the question.
What have you done to ensure compliance? This is likely an extensive and ongoing process. If you get a quick and simple answer, keep looking for the right provider as this one missed the mark.
Have independent experts assessed your HIPAA compliance: This is important as simply completing an in-house assessment could mean disaster for this provider and you. Third-party verification ensures they didn’t sweep anything under the rug and have fixed any issues that could put them or you at risk.
Will you provide a HIPAA Business Associate Agreement? This means the provider is willing to stand behind its compliance and put it in writing that the proper privacy and security controls are in place.
Can all the services you provide be configured according to HIPAA compliance? It’s possible the business phone system provider can’t meet HIPPA compliance for some of the services it offers. They may not want to try if the cost is too high and the benefit too low. You should be notified if an available service does not meet the criteria.
Will you recommend specific configurations to ensure compliance? If compliance is a priority and a compliance officer is available to help you configure the business phone system, this is likely a good vendor to consider.
Will you provide encryption for data in motion and data at rest? It’s common for data to be transmitted without encryption, which is a big HIPAA misstep. Not all firms offer encryption for moving and at-rest data, so it’s important to ask the question.
A smaller firm may not be able to meet all HIPAA requirements simply due to cost constraints with compliance. But don’t let size be the only indicator when making your decision. Ask these seven questions and rate the answers according to the information provided here. At that point, you’ll be much better suited to make an educated decision.
Edited by Rory J. Thompson