We’re seeing more and more cases of business associates (BAs) of healthcare facilities being fined under HIPAA provisions – a trend that looks to only be ramping up, not slowing down. As a result, healthcare recruiters need to meet HIPAA requirements as a BA, or face fines starting at $50,000 per incident, depending on the severity of the case.
Why You Need to Understand the HIPAA Privacy Rule
Medical staffing agencies, take heed: The U.S. Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to enforce HIPAA requirement. The Privacy Rule addresses the use and disclosure of the health information for individuals by covered entities (CEs) subject to the Rule. It also creates a standard for individual privacy rights to control and understand how their health information is used.
Within HHS, the Office for Civil Rights (OCR) has a responsibility to implement and impose the HIPAA Privacy Rule with respect to voluntary compliance activities and civil money penalties. Anyone can file a complaint with the OCR if they believe a HIPAA violation has occurred.
Do I Need to Be HIPAA Compliant?
This is the question of the hour, reverberating throughout the land.
As a healthcare staffing agency, if your application handles protected health information (PHI) then you need to be HIPAA compliant as a BA. If you fail to be in compliance, then you are subject to potential civil and criminal penalties as a result of HIPAA violations. The HIPAA rules apply to both Covered Entities and their Business Associates.
Covered entities are anyone who provides treatment, payment, and operations in healthcare. Covered entities include companies and organizations such as:
- Doctor’s Offices
- Dental Offices
- Psychologists and Psychiatrists
- Health Plans, Insurance Companies, HMOs and more.
Business associates include healthcare recruiters and medical staffing agencies. Basically, if you’re making an mHealth, eHealth or wearable applications that manage Electronic Protected Health Information (ePHI), then you are a Business Associate under the HIPAA guidelines and you must be HIPAA compliant.
The Difference Between PHI and Consumer Health Information
So, how do you know if you’re dealing with protected health information (PHI) or consumer health information? The test is an easy one: if your device or application currently shares or will share the user’s personal health data held in the app or device with a covered entity such as a doctor, then you are dealing with protected health information and need HIPAA compliance software.
If you are building a wearable device or application that collects the user’s personal health information, but do not plan on sharing it with a covered entity such as a doctor at any point in time, then you do not need to be HIPAA compliant and do not violate the HIPAA Privacy Rule.
Case in point: the Nike Fuelband does not need to be HIPAA compliant because it does not track data considered to be protected health information nor allow data transmission from the device to a covered entity.
How Do I Become HIPAA Compliant?
The HIPAA Security Rule requires appropriate Administrative, Physical, and Technical Safeguards to ensure the confidentiality, integrity, and security of protected health information (PHI).
In order to meet HIPAA compliance software requirements, you need to ensure you’re meeting the four main requirements of the HIPAA law. The four main requirements of the HIPAA Compliance Checklist are:
- You must put safeguards in place to protect patient health information.
- You must also reasonably limit use and sharing of protected health information to the minimum necessary to accomplish your stipulated task.
- Have agreements in place with service providers that perform covered functions. These agreements, called Business Associate Agreements (BAAs) ensure that service providers (Business Associates) use, safeguard and disclose patient information properly.
- Use of procedures that limit who can access patient health information, and training programs about how to protect patient health information.
Can I Get Certified as HIPAA Compliant?
The short answer is no.
Unlike PCI compliance for financial information, there is no entity that can “certify” that an organization with a HIPAA Compliance Certification. The OCR from the Department of Health and Human Services (HHS) is the federal governing body that oversees HIPAA compliance. HHS does not endorse or recognize the “HIPAA Compliance Certifications” made by private organizations.
It’s up to you to determine if your administrative, technical, and physical safeguards as a medical staffing agency meet HIPAA compliance requirements as a BA.
What Are the HIPAA Compliance Requirements?
In order to meet HIPAA compliance software requirements, you need to ensure you’re meeting the main requirements of the HIPAA law. The three main safeguard requirements of the HIPAA Compliance Checklist are:
Deals with the policies and procedures you have in place to ensure the proper employee management, training and oversight for staff that comes into contact or manages protected health information.
These are details that HIPAA compliance software manages that providers of HIPAA hosting don’t touch. They include things like encryption and decryption, audit controls, emergency access procedures, HIPAA file storage, and more. Ask us more about the technical safeguard requirements of the HIPAA security rule.
These are the safeguards around the security of the data itself. HIPAA compliant hosting companies like eSOZO cover this portion of the safeguards and includes data redundancy and failure requirements, access to servers and more. Call us to learn more about the physical safeguard requirements of the HIPAA security rule.
Need to Be HIPAA Compliant in New Jersey?
Then, contact us at (888) 376-9648 or firstname.lastname@example.org for more information. eSOZO is a highly-rated IT service provider in New Jersey that can help healthcare staffing agencies stay HIPAA compliant as a BA with our HIPAA compliance software and hosting services for NJ healthcare recruiters.
Author: Aaron White, Date: 9th September 2017