Best Practices & Perspectives
Get Ready, all you who do business with health providers.
Quietly, the Feds recently set the stage for a massive expansion of enforcement of privacy rules under the Health Insurance Portability and Accountability Act (HIPAA).
The message: Even if you are not a covered entity under HIPAA, if your business has potential access to any private health information, be prepared for the Feds to take enforcement action against you only for any breaches of privacy. In a fact sheet from the Office for Civil Rights (OCR), the word “only” is underlined.
Translation: The Feds’ authority to go after a business associate under HIPAA is nothing new, but, in practice, business associates typically came under scrutiny as an offshoot of an inquiry into a healthcare provider or insurer.
In its new fact sheet, the OCR shifts focus to direct liability of a business associate.
“As part of the Department’s effort to fully protect patients’ health information and their rights under HIPAA, OCR has issued this important new fact sheet clearly explaining a business associate’s liability,” said OCR Director Roger Severino.
Now, think of all the types of businesses that could be held accountable – absent of anything involving the health organization for which they provide service. The list is ubiquitous. Cleaning crews, construction contractors, shredding companies, transportation outfits… on and on.
In short, Business Associates should be ready to be held accountable independent of the health provider they serve – and they should understand what’s at stake so they can prepare accordingly.
MyHIPAA Guide, based in Akron, Ohio, is a consultancy and subscription service offering HIPAA-covered entities and Business Associates a sensible program for managing HIPAA compliance.