Failure to understand what your IT firm is doing in regards to HIPAA compliance can and will have major negative consequences on your business. The severity of this topic cannot be taken lightly. There are many circumstances that may be overlooked in regards to HIPAA compliance that could end up costing your company thousands of dollars in the event of a data breach.
A covered entity must have a business associate agreement (BAA) in place with all their providers. Some IT firms and covered entities forget who might have access to protected health information (PHI). Copier and printer firms, IT services, couriers or anyone else who could come in contact with PHI must have a BAA in place.
One item that is commonly overlooked is where exactly are all copies of your backup information? If your IT firm is moving your data to the cloud, the cloud provider needs to be HIPAA compliant and have a BAA in place. If your company stores backup tapes or external hard drives at someone’s house, they need to be returned to the office immediately. Storing these items in an employee’s home poses serious risk for a data breach.
A covered entity should be absolutely certain that the IT firm is as concerned about HIPAA as they are and have taken significant steps to protect PHI. Does the IT firm have the right insurance? Do they understand your BAA or have they provided one to you? Do they encrypt hard drives? There are many more questions that must be properly answered at the very least annually. When was your last HIPAA audit and who reviewed the results?
KME works with an independent, excellent firm to audit our work internally and our client’s HIPAA processes. This firm continually provides a detailed list of issues for both KME and our clients to correct so we can all mutually stay ahead of compliance needs. You don’t want to find out your IT firm or your internal compliance officer didn’t understand compliance law during an audit. The fines can be huge, exceeding millions of dollars.
Your IT firm must take HIPAA compliance seriously. This article is strictly informative in nature and not intended to provide legal advice. Have your own legal counsel review your compliance to protect your interests. For HIPAA Compliance, an ounce of prevention is worth 10 pounds of cure.