Under the most recent HIPAA HiTech Omnibus Final Rule, a variety of new businesses and associates must be HIPAA compliant. The regulation essentially states that if your small business handles sensitive medical information, it needs to have the proper mechanisms in place to lower the risk of being breached. Protect your partners. Protect patient information. Protect your business.
If an organization only “moves” healthcare and medical information as a middle third party and has no need to ever be hands-on with the actual information, it most likely does not need to be HIPAA compliant. These businesses include, but are not limited to, shipping providers, logistics companies, telephone service providers and electricians. If the organization can actually access Protected Health Information (PHI), store it or transmit it, then it considered a Business Associate must be compliant. Business Associates typically include lawyers, accountants, data storage facilities and medical office clearinghouses.
If you’re still unsure about which partner needs a BA agreement and which do not, it is better to be safe than un-secured. Our team can take a look at your operation, compile a list of your current Business Associates and give you a HIPAA Risk Assessment to decide which entities are your biggest risks and what solutions you need moving forward.
For more information regarding our business associate management and HIPAA compliance advisory services, contact HIPAAEx today!