IT contractors who work with healthcare companies are no doubt familiar with how difficult it can be to meet the high standards set by HIPAA and HITECH data privacy laws. Fortunately, new HIPAA guidelines [PDF] make your requirements a little clearer.
HIPAA and HITECH require businesses that have access to patient data and health records to:
- Take extra precautions to secure sensitive data.
- Ensure it doesn't fall into the hands of criminals who might use it for fraud.
These guidelines also require IT contractors who work for healthcare companies to do the same.
IT contractors who work with healthcare companies are called "business associates" in HIPAA and HITECH laws. The Department of Health and Human Services has eased some of its requirements, reducing the liabilities of some IT professionals (especially web designers) who provide services but don't actually have access to health data. Let's look at how these new guidelines affect your HIPAA requirements.
Which IT Consultants Are Business Associates under HIPAA Laws?
Health Data Management explains how these changes to HIPAA and HITECH will affect IT business associates:
- IT personnel who have access to patient records are still BAs.
- Web designers who maintain the look and feel of the site but don't have access to patient data are not considered business associates.
- Other IT contractors without access to protected health information don't qualify as BAs.
In other words, the tech contractors who work for healthcare providers but don't actually have access to patient data won't have to sign business associate agreements or take other precautions to be HIPAA compliant. However, most IT contractors still have to know and follow HIPAA security guidelines.
Many web developers will have access to the kind of data that needs to be protected under HIPAA and HITECH, given how often healthcare providers use their websites as a portal for patients to access health records, contact doctors, and get information about upcoming appointments.
For more information on IT contractor HIPAA requirements, see "Data Security Laws Computer Consultants Need to Know."
Be Prepared for Client Questions about HIPAA Requirements
In its HIPAA update, the Department of Health and Human Services suggests that healthcare companies quiz their IT consultants about data security protocol. Oh boy! While your client might not grill you, let's look at the kind of questions HHS suggests your clients should ask you...
- Does software have appropriate access controls, auditing capability, and encryption?
- Will IT consultants train the healthcare staff to change and maintain security features as needed?
- How does the data backup and recovery system work?
- How will communications between IT contractors and healthcare staff be authenticated (to make sure each party is not a hacker or person committing a phishing scheme)?
- If an IT consultant has remote access to the healthcare company's system, how will this access be secured?
- Does this IT provide a way to securely contact patients via HIPAA-compliant email?
See page 29 of the PDF linked to above for a move exhaustive list of the questions.
Why HIPAA Compliance Matters to IT Professionals
When you sign a business associate agreement, you're basically signing off that you know and will follow HIPAA guidelines. Any violations, data breaches, or cyber attacks that involve your IT could lead to expensive fines against you or your clients – or even a lawsuit against your IT company.
IT Errors and Omissions may offer some financial protection for IT consultants. E&O Insurance may cover the cost of lawsuits if clients sue you over cyber security issues, HIPAA violations, data leaks, data loss, and other concerns with your work as IT consultant.
While this updated law loosens a few regulations, it makes it clear that IT consultants are still going to be held to higher standards for HIPAA violations. Your clients are being instructed to go to greater lengths to make sure your IT meets encryption and data security protocol, so make sure you're prepared.