There are often many questions about HIPAA (Health Insurance Portability and Accountability Act). While it can get complicated and you should always consult counsel in specific situations, here are five things IT vendors should know about HIPAA:
1. HIPAA does not apply directly to IT Vendors
HIPAA applies only to your customers that work directly with patient data as part of the healthcare services they offer (hospitals, insurance companies, and in some instances medical device companies). These types of customers are called “Covered Entities”. Even if you have direct access to patient data, you are probably not subject to HIPAA unless you are providing healthcare services.
2. Customers will probably ask you to commit to HIPAA compliance if you have access to patient data
A key requirement of HIPAA is that Covered Entities make sure that their vendors who have access to patient information agree to comply in writing to a basic set of HIPAA requirements when dealing with patient information. Your customers that are subject to HIPAA will often err on the side of caution and ask you to sign a “Business Associate Agreement” that covers these requirements even if your access to patient information is remote.
3. Business Associate agreements should be reviewed carefully to make sure “extra” provisions aren't included
HIPAA outlines exactly what provisions should be included in a vendor Business Associate Agreement. The obligations are focused on protecting patient information (documented or in electronic form) through “reasonable and appropriate” safeguards. Obligations to mitigate and report security incidents are also included. What HIPAA does not require are liability terms or indemnity provisions that create financial exposure for IT vendors so you should review those terms with counsel before accepting them.
4. You should discuss HIPAA requirements in advance with your customer
If you think you are going to have access to patient data you should discuss any customer specific HIPAA requirements with your customer PRIOR to scoping or pricing any IT consulting project. Covered Entities are responsible for setting the HIPAA compliance procedures for use of their systems in their facilities. You should know what you're signing up to in advance before you price or scope your project. You don't want to hear about potential scope changing requirements on the back-end when you're ready to sign contracts or, as I have seen happen many times, after you have signed an agreement and now the customer will not give you access to implement your solution.
5. HIPAA is just the beginning
If you often work with healthcare customers you should follow HIPAA and patient privacy developments closely. HIPAA has come under attack for not doing enough to protect patient safety and there are a number of key politicians and patient privacy advocacy groups that are pushing for new legislation that may apply directly to IT vendors and create the right for patients to sue them directly for security incidents. Like HIPAA, these new laws may impose additional requirements for you and your products but may also create new opportunities for the right products and services.
Recent Comments