Does My Business Really Need to Abide by HIPAA?

As most of us have had to transition into remote workspaces, keeping data secure in this virtual world is a top priority.  Knowing which services to trust can be a daunting task, which is why we wanted to share some of the resources we use in hopes that it may help others as they adjust to the ever-evolving circumstances we find ourselves in.

At Broadus & Associates we take our clients’ privacy, as well as their clients’ privacy, very seriously. That means adopting high security standards and carefully abiding by regulations such as HIPAA. “But,” you may ask, “what is HIPAA, and do I really need to abide by it?” “I don’t run a medical company, so does HIPAA really apply to me?” Well, you might be surprised. First, let’s answer the question of what HIPAA is.

What is HIPAA?

Technically speaking, HIPAA is the Health Insurance Portability and Accountability Act that Congress passed in 1996. It was passed, in part, to ensure that patient’s privacy and health information is protected and to regulate how that information is transferred to other parties. In other words, it ensures that no one is reading someone’s medical documents who shouldn’t be. If you work with and store medical information about anyone, then HIPAA applies to you.

How HIPAA Applies to You

Now, 1996 may seem like quite a while ago, but with the popularity of “the Cloud” many businesses may not realize just how relevant HIPAA is to them. To see how this may apply to you and your business let’s look at a simple, low-tech, scenario.

Before computers, documents were mostly stored in offices in boxes and filing cabinets. If some of those documents contained a client’s health information (i.e. doctors’ reports, medical bills, etc.) you would be required to protect that information from someone who is not authorized to see it. Even though you may lock your office, you would still need to consider who has access to your office that might end up seeing those documents. Are all of your coworkers authorized to see them? Does a cleaning service come into your office at night who could potentially come across them? To further protect those documents, you would need to store them in a locked filing cabinet or a separately locked room.

The same question must be asked with today’s technology: who has access to where protected health information is stored and is that person authorized to see that information? Are you e-mailing health information to a colleague or storing it on a drive in the cloud? Well, your colleague may be allowed to see that information but is the IT tech who manages that e-mail server? What about whoever else has access to that server? If you stored it in the cloud on Google Drive, is the team at Google allowed to see that information if they come across it?

Business Associate Agreements

This can all get very confusing, which is why it is important to sign a Business Associate Agreement (BAA) with anyone who might be handling that protected health information. It’s like requiring everyone who gets a key to your filing cabinet to sign a legal contract stating that they will be held liable if they lose that key or show documents to someone they should not have. Several e-mail providers and cloud storage providers are willing to sign a BAA (depending on your plan, of course) ensuring that no one will be looking at your files who shouldn’t be. That way, if there is a data breach of some kind, they are the ones on the line for it and not you.

At Broadus & Associates, we have taken all the necessary steps to ensure that we are HIPAA compliant. We have signed BAA’s with all the third-party services we use, and adhere to the required security guidelines, so that you can be confident that your client’s data is protected with the highest security standards and according to HIPAA regulations.

Here are some resources on how to sign a BAA with some of the popular cloud storage services: