Business information is the lifeblood of any organization. Yet often a clear delineation is made between business data and personal data. However, in healthcare, both data types are one and the same, and healthcare organizations are tasked with the responsibility of safeguarding sensitive patient information.
In 1996, the Health Insurance Portability and Accountability Act (HIPAA) set what would become the ground rules for the responsible management of healthcare information, with the Department of Health and Human Services (HHS) serving as the enforcement watchdog to ensure compliance. However, technological advances in both the delivery of patient care and the storing and transmission of personal health information (PHI) have required that HIPAA regulations be constantly updated.
The Challenge in Managing Personal Health Information (PHI)
For healthcare organizations, safety and security concerns regarding PHI tend to be focused less on the security of their networks and more on the accessing and sharing of that information as part of their daily operations. The transition from paper records to electronic health records (EHR) has helped to streamline the claims submission and resolution processes, as well as the sharing of information between providers for treatment and research purposes. Yet the complexity of these processes creates numerous chances in which PHI can be improperly shared or lost along the way.
The penalties for HIPAA violations can be both swift and severe. Monetary cost can be as much as $50,000 per violation, with organizations subject to up to $1.5 million in penalties per year. Yet beyond that, organizations that are hit with HIPAA penalties can face expenses related to:
- Discovery and remediation
- Legal fees
- Loss of customer and patient revenue
New Challenges for New Types of Service Providers
Healthcare organizations are very familiar with these penalties and their inherent consequences, but what about those companies who operate as their business associates (BAs)? The recent Health Information Technology for Economic and Clinical Health Act (HITECH) extended the responsibility to directly comply with HIPAA to organizations functioning as BAs.
Under this new standard, the definition of a BA is any organization that “creates, receives, maintains, or transmits protected health information for a function or activity… including claims processing or administration, data analysis, utilization review, quality assurance, patient safety activities… billing, benefit management, practice management, and repricing.” This definition has also been applied to providers of cloud computing services.
If your organization falls into this group, HIPAA and HITECH compliance is now a very real part of your world. Yet if you’re able to successfully adapt to this new environment, even more advantages could potentially await you. Healthcare organizations are increasingly looking to improve many of their business processes through automation, and the HIPAA-related risks associated with bringing on new business partners often limits the pool of providers they have to choose from.
If your organization can demonstrate a firm understanding of HIPAA/HITECH, and show the safeguards necessary to remain compliant, then you suddenly become a very attractive provider option in a space with already-limited competition.
The HHS has proven to have a very strong resolve in enforcing HIPAA violations over the years. While the proliferation of EHR may have provided new opportunities for collaborations between your organization and the healthcare industry, it also has opened the door to oversight from the HHS.
Remaining HIPAA-compliant can present a number of challenges to your company. I.S. Partners, LLC is well-acquainted with HIPAA as well as the new standards that have come from HITECH. With our help, you’ll be prepared to take these changes in stride, and to continue to operate as a trusted BA to your healthcare partners without the concern of potential HIPAA or HITECH infractions.