HIPAA/HITECH Compliance Is All or Nothing

I’ve worked with HIPAA compliance ever since it was signed into law in 1996.  Over the years working with many covered entities (CEs), and ever since HITECH was signed into law a very large number of business associates (BAs), I’ve heard some of the same questions.  One I am getting more often from BAs, who for the most part are just now realizing that they need to get into compliance with HIPAA and HITECH, is: “With what parts of HIPAA and HITECH do I have to comply?”

BAs, as well as CEs, need to understand that they must comply with all HIPAA Security Rule and HITECH requirements.  CEs need to comply with all HIPAA Privacy Rule requirements, and BAs will need to comply with them as well, depending on the types of services and products provided to CEs.  An important point is that CEs and BAs must safeguard protected health information (PHI) at *ALL* times according to all the regulatory requirements.

I recently had a BA that provides cloud services to CEs tell me that they did not think that they needed to follow the HIPAA Security Rule Physical and Administrative requirements since they were a cloud service, which they viewed as being a strictly technology-based service, and since they used an outsourced data center.  So, they thought they only had to follow the requirements listed within the Technical Requirements of HIPAA (45 CFR §164.312).  Au contraire, mon frère! You cannot be selective in this way.

I had another BA tell me that they received patient databases from a CE that contained names, email addresses, mailing addresses, and assorted related medical information.  They understood that the data had to be protected when it was sent from the CE to them, because they understood that it was PHI coming from the CE.  Where their confusion came in was what they had to do after they received it.  They asked, “We can send these files on to the companies who do outsourced work for us without any special security, right?  It’s no longer PHI if we are sending it to a company that is not a CE, right?”  WRONG!

Unless it has been de-identified (another topic for another time), PHI remains PHI after a BA receives it, and throughout any business processing, storage, subcontracting or other activity that occurs.  Think about it; you want your doctor to protect your medical information and ensure they protect it so that it is not used inappropriately, and not shared with others who don’t need it, don’t you?  Well, if they pass it along to some other organization to process, store or otherwise use, don’t you want that other organization to protect it just as stringently?  One of the goals of HIPAA and HITECH is to ensure PHI remains appropriately secured no matter who is handling it.  It’s all about protecting PHI, not about who is touching PHI.  That’s an important point to understand.  HIPAA/HITECH compliance is basically all or nothing; it’s not a pick-and-choose proposition.

Guest Blogger Rebecca Herold

Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI, is owner and CEO of Rebecca Herold & Associates, LLC, is partner in Compliance Helper, has been an adjunct professor for the Norwich University Master of Science in Information Assurance (MSIA) program since 2005, is working on her 15^th published book, was recently voted the 3^rd best privacy advisor in the world by Computer World, in addition to doing many other assorted information security, privacy and compliance activities. Rebecca Herold is also the author of the Realtime eBook Understanding Data Protection from Four Critical Perspectives available from CREDANT Technologies.