IT Professionals Beware: The Devil Is In The (HIPAA) Details

Since 2009, with the enactment of the HITECH Act and the subsequent EHR meaningful use requirements, healthcare has been well on its path to arrive at the 21st century. However rushed and heedless the process may have been, one thing is certain — it was long overdue. A direct result of such paradigm change has been a tremendous, ever-growing need of IT related expertise like never before. Today, the vast majority of small healthcare organizations and even some mid-sized ones rely heavily on outside IT professionals and MSPs in order to meet their technology related needs. While this has created very enticing business opportunities for IT professionals and service providers alike, it’s not all peaches and cream (or “a bed of roses” if you will).

You Don’t Know What You Don’t Know

As an IT and technical services provider you may be very proficient with operating systems, digitization, databases, networking, and technical support among other things. You may have even proved over the years to be able to provide top-notch services to customers in other verticals. But by not being versed in the regulatory requirements and subtleties of the healthcare industry you may very well be putting yourself, your clients, and their patients in great financial and reputational risk without knowing it. Sadly this is what I’ve, more often than not, found to be the case.

A big part of what I do is help healthcare organizations minimize risk, remain secure, and achieve compliance with HIPAA and other applicable regulations. That requires conducting periodical assessments of administrative, physical, and technical risks. Such assessments are key to identify vulnerabilities and preempt potential threats. Way too often, I’ve found the “IT guy” to be one of the major sources of risk and non-compliance in small and midsize medical organizations.

Is it that all those IT professionals and service providers were being negligent, or doing a poor job? Not necessarily. They almost always had their customer’s best interests at heart. And, under other circumstances, some of that work could be construed as a fine and efficient one. But when taken in the context of regulatory requirements, those turn out to be serious mistakes. Some examples worth mentioning are undocumented access to systems containing Protected Health information (PHI), improper handling of hardware decommissioning and media sanitization, unencrypted back-up storage, use of non-compliant public cloud services, deprecated security mechanisms, poor encryption and key management implementations, improper use of email and electronic fax services, and the list goes on and on. But the single most prevalent issue isn’t at all technical in nature.

What You Don’t Know Can And Will Hurt You

Under HIPAA, a Business Associate (BA) is any individual or entity who has access to, creates, receives, maintains, stores, discloses, or transmits protected health information (PHI) for, or on behalf of a covered entity (CE) even if they do not actually view the protected health information; and/or where the provision of the service involves the disclosure of protected health information. That means IT professionals and MSPs will fall within the definition of a BA almost by default, thus requiring a Business Associate Agreement to be in place. Such a document isn’t a mere formality, it is a legally binding contract describing important things like BA’s obligations and permitted uses of PHI.

Although covered entities (your clients) are the ones who must obtain satisfactory assurances that BAs are meeting their obligations under HIPAA and as such the ones primarily responsible for making sure the required BAAs are in place, most are not particularly competent in this regard. And keep in mind that what constitutes you as a BA isn’t a contract or any sort of document, but the fact that your activities fall within the definition set forth by HIPAA. That being the case, the absence of a BAA doesn’t make you any less liable but it does make you and your client not compliant, thus risking considerable monetary penalties. So, you should be heavily interested in this matter. This all means that, for the most part, it will have to be you who take the initiative when it comes to BAAs.

In most cases I’ve had to deal with, the problem isn’t that there’s no BAA in place but that there’s one that is too vague, too broad, or nothing but a slightly modified version of a sample document provided by the U.S. Department of Health & Human Services or other organization. In order for a BAA to be worth anything, its language has to be well thought of and its content must be based on the specific activities to be performed by the business associate and in accordance with covered entity’s policies. Otherwise you may not only end up with a document that has little or no value with regards to compliance, but you may also be agreeing to something that doesn’t apply to you, is unnecessarily onerous, and/or may not be of any help when there’s a need to resolve a dispute between the parties.

What can you do?

As with anything else in life, you should be fully aware of the responsibilities and liabilities that come with any business decision you make. After all, you wouldn’t enter into any other significant contractual obligation like a loan or a mortgage without first making sure you know exactly what you’re getting into, right? Well, when you start dealing with organizations governed by regulations such as HIPAA, you’re stepping into a whole different playing field, one you may not be as familiar with as you think. It would be a tremendous mistake to just assume you can extrapolate your existing knowledge and methods.

The moment you become a BA, not only are you held to the same standards and requirements as your clients, you’re also sharing the risk with them or even accepting the transfer of some of that risk. So it would be in your best interesting to follow these recommendations:

  1. Make sure you are familiar with the letter of the law in the Privacy, Security, Enforcement, and Notification Rules.
  2. Take advantage of free, readily available online resources like the ones found at and
  3. Don´t hesitate to seek expert and/or legal advice.
  4. Make sure contract documents are as detailed and specific as needed, and keep them up to date.
  5. Stay on top of regulation changes and enforcement actions.
  6. Never allow yourself to think you already know everything you need to know.
  7. Last but not least, before you do anything, make sure you absolutely know what you’re doing.

There’s tremendous opportunity in the healthcare vertical for competent MSPs and IT professionals determined to do right by their customers. Will that be you? With the proper knowledge, methods, and paperwork you’ll certainly be.

This post was originally published on LinkedIn: