Am I Responsible for HIPAA Compliance Even if I Don’t Store PHI?

If you’ve recently been to a doctor's office or hospital, you’ve signed a piece of paper regarding HIPAA (The Health Insurance Portability and Accountability Act). HIPAA compliance is the set of rules and regulations created to help protect PHI, or personal health information. These standards primarily relate to healthcare and medical organizations.

But what if your company is not a hospital or medical organization, and it does not store any personal health information? You couldn’t possibly be liable for any HIPAA violations, right? Well, that's not always the case. Being unaware of this fact has cost some businesses substantial amounts of money in fines and penalties. Here’s why.

One major aspect of HIPAA is that the standards actually extend beyond healthcare to other non-medical companies.

So how are you supposed to know if you need to follow HIPAA compliance? Start with these 3 main points.

The reason that HIPAA standards were created was to protect patient records and other important health information. Often, this information is shared with other entities, and this is why HIPAA compliance applies to businesses beyond healthcare.

For example, PHI is shared with other non-medical businesses such as law firms, accountants, attorneys, insurance agents, and other advisers. When the information is shared, the companies receiving it are now responsible for keeping it secure, just as it would be in a medical facility. Basically, if your company has access to sensitive health data that would fall under HIPAA, regardless of how you acquired that access, your company needs to be HIPAA compliant. It is also especially important for any businesses that collect, share or receive ePHI, or Electronic Protected Health Information.

Non-medical companies that work with sensitive health-related information (let’s call them "business associates) can be held accountable for HIPAA violations. These "business associates" can be investigated, audited, fined and penalized just like traditional healthcare companies would be fore breaking the rules.

Although "business associates" have been liable for HIPAA compliance for more than a decade, many of them are unaware that they are required to follow these guidelines. This negligence, along with the ease at which information can be shared online, has led to a continuous rise in data breaches year over year.

In order to combat the rise in data breaches, fines and penalties for violating HIPAA continue to increase. These days, just one violation could potentially cost a company millions of dollars. Here are steps you can take to make sure your business is HIPAA compliant.

1. Review the software and tools employees use while working with any medical data. This includes anything from complicated software to simple messaging apps. All of these tools need to be secure and sometimes encrypted.
2. Data submitted through forms also needs to be encrypted.
3. Avoid using email to share any medical data unless it's absolutely necessary. If it is, the email must be encrypted.
4. Access to medical data should be restricted to only the employees currently working with it.
5. Physical copies of medical data need to be locked away when not in use, then shredded when they're no longer needed.

The most important thing to take away from this article is how HIPAA compliance doesn’t only affect medical facilities, doctors’ offices and hospitals. Basically, If your business works with or obtains any patient information, your company likely needs to be compliant with the latest HIPAA standards.

If you’re not sure whether HIPAA could have an impact on your business, please reach out to us! We’ve been working with HIPAA compliant organizations for decades, whether in healthcare or not, so we’ll be able to come up with an ideal solution.