BEI is the technology partner of a wide variety of healthcare professionals and organizations. As such we have implemented an internal HIPAA compliance program and we sign HIPAA Business Associate agreements with our healthcare clients.

In the course of performing our day-to-day functions for these clients BEI employees are sometimes exposed to protected health information (PHI.) For example, this can occur when we are troubleshooting a practice management (PM) or electronic health record (EHR) issue on a user’s PC or workstation and we see the PHI on the user’s monitor. In addition, as computer network administrators for our clients we generally have access to all portions of a HIPAA Covered Entity’s (CE’s) network which includes those systems and databases that contain PHI. Therefore, as a conscientious business partner of our CE clients we have a responsibility to implement the appropriate provisions of the HIPAA Security Rule.

Accordingly, we have executed a HIPAA Compliance Program. BEI has an appointed HIPAA Security Officer and documentation governing the policies and procedures required by the Security Rule. All of our employees have been trained on these policies and procedures and as we add new employees they will also receive this training.

This program ensures our CE clients that BEI has the appropriate measures in place to protect access, maintenance and utilization of PHI. In addition, our CE clients can be assured that BEI has the knowledge and experience to assist them in designing HIPAA compliant IT networks. For example, the recently passed HITECH Act includes “Subtitle D” which focuses on privacy and modifies and broadens portions of the HIPAA Privacy and Security laws and regulations, many of which relate to electronic security. Electronic PHI (ePHI) must be properly secured through encryption and other data protection techniques. This applies to both ‘data at rest’ and ‘data in transit’. The regulations stipulate the specific government IT security standards that must be followed during network configuration and operation. BEI knows what these standards are and how to implement them and therefore is able to advise its clients on the HIPAA Security Rule requirements and how they can most effectively be implemented on their current and future network configuration.

In a related matter, in order to obtain Meaningful Use funding physicians must comply with Core Set Measure #15: “For the EHR and its related IT network, conduct a security risk analysis and implement security updates as necessary; correct security deficiencies.” This security risk analysis is essentially asking physicians to make sure their IT networks are compliant with the Security Rule issues mentioned above, and in the event that an analysis yields a gap between the actual network implementation and the desired network implementation, the necessary measures are taken to cure the defect. BEI can provide the necessary analysis and services as listed above.

Finally, our client CE’s can be assured that when BEI signs their BA agreements we truly have taken the steps to fufill our obligations as spelled out in the agreements.

Additional HIPAA Information

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. The United States Congress passed this act primarily to improve the portability and continuity of health insurance when people lose their jobs. One of the provisions of HIPAA is aimed at Administrative Simplification which includes, among other things, protection of the privacy and security of certain health information. The United States department of Health and Human Services (HHS) has published rules for implementing portions of Administrative Simplification including the HIPAA Privacy Rule and the HIPAA Security Rule. These rules, and others, typically apply to what is known as “Covered Entities” or CEs.

Covered entities are generally healthcare providers, payers (insurance companies), or other organizations that directly handle Protected Health Information (PHI). In addition, certain entities that provide services to CEs where these services involve the disclosure of PHI are known as HIPAA “Business Associates” or BAs. Depending upon the services provided by the BA either or both of the Privacy and Security Rules might apply to them. Considering the type of services that BEI provides to CEs, the Privacy Rule does not apply to BEI, just the Security Rule.

Prior to the passing of the American Reinvestment and Recovery Act of 2009 (ARRA) with its particular section on healthcare IT (known as the HITECH portion of the ARRA) the HIPAA Security Rule was commonly interpreted as meaning that BAs should implement HIPAA required or addressable technical and physical controls to protect PHI in their care, but not implement the full complement of administrative controls. If the BA actually received PHI HIPAA rules were further interpreted to mean the BA should extend security controls on behalf of a CE, but rarely to mean implementation of every administrative, physical, and technical safeguard noted rules.

With enactment of the ARRA, however, regulations now clearly state (Section 13401) that the HIPAA Security Rule in its full form (45 CFR Parts 164.308/10/12/14/16) applies to Business Associates. Pointedly, it is no longer at the discretion of Business Associates to determine what constitutes “reasonable and appropriate” security controls. This imposes for the first time direct accountability on BAs with potential civil and criminal liability for failure to meet these requirements.