By Chris Byers

You probably know the Health Insurance Portability and Accountability Act of 1996 (HIPAA) covers hospitals and insurance companies. But do you know your medical device company could fall under HIPAA too? We often forget about the law firms, consultants, and medical device manufacturers who also could be liable for damages if they don’t properly comply with HIPAA’s privacy and security rules. 

Are you missing out on important HIPAA compliance measures?

HIPAA Safeguards Protected Health Information

HIPAA’s main purpose is to establish which patient information qualifies as “protected” and what measures users of that data must take to safeguard it. To do this, the U.S. Department of Health and Human Services (HHS) was charged with creating the rules that users of protected data must follow. To that end, HHS developed a privacy rule and a security ruleSecurity Rule.

Prior to HIPAA, organizations had no clear standards on how to handle protected health information (PHI). The challenge became glaring as the health industry began incorporating more technology into its processes without addressing best practices for PHI and transmission methods.

HIPAA Applies to More Than You Think

When talking about HIPAA, we often think about healthcare providers who transmit PHI in electronic form. This is an example of a covered entity. Other covered entities, such as health plans and healthcare clearinghouses, are the ones sending PHI using their systems.

HIPAA gets trickier for the second class of organizations: business associates, which are used by covered entities in the course of doing business. Organizations such as claims processors, CPA and law firms, quality assurance consultants, and pharmacy benefits managers are also bound by HIPAA regulations when they receive or send PHI.

Medical device companies, too, are often classified as business associates. When a physician transmits PHI to a medical device manufacturer for data analysis, for example, the manufacturer is now responsible for safeguarding that information. The company must be using a system capable of adequate data protection to stay compliant with HIPAA rules. 

Steps to Comply with HIPAA

Organizations qualifying as business associates need to ensure they have two key pieces set up: a legal agreement with your contracted covered entity and a HIPAA-compliant workflow and toolset to store and protect PHI.

With a properly created business associate agreement (BAA), you can legally demonstrate that you as a business associate understand and agree to follow the privacy and security rules. Within this agreement, you need to outline how PHI may be used, disclosed, and protected. Check with the HHS enforcing entity, the Office for Civil Rights, for sample language you can use to draft a legally enforceable BAA.

You’ll want to ensure you have your BAAs stored, organized, and secured, and you’ll likely find that paper contracts and a filing cabinet will not suffice. I would recommend a document and contract management tool—a system beyond an off-the-shelf cloud storage solution—so that your contracts are written, eSigned, and organized appropriately. This will also help you stay updated on fast-changing rules and regulations.

You also need a HIPAA-compliant workflow to ensure your organization is capturing and securing data correctly. The physician I mentioned above who sends you information for analysis should be transmitting data to you in a compliant manner, but you need to check with the physician’s office and your own teams. While some physicians use HIPAA-compliant email systems, I’ve seen that most manufacturers do not.

Without a complete compliance chain, companies will find themselves in violation of HIPAA regulations. Whether you’re a covered entity or a business associate, you need to invest in adequate access controls and data capture processes to store and encrypt PHI.

Protect Your Company from HIPAA Violations

You might think HIPAA violations are rare, but the costs are high for betting wrong. When a medical device manufacturer’s email archiving partner merged two servers in late 2018, it exposed more than 270,000 patients’ PHI to potentially unauthorized access. The medical device manufacturer ended up offering credit monitoring to every patient affected, and it conducted internal reviews of its processes—outcomes that were both expensive and public.

Lists of HIPAA noncompliance violations are sobering, and they illustrate a host of potential problems—including job losses, seven-figure fines, and even prison sentences—that will damage your business and reputation. 

To protect yourself, remain in close contact with the people most responsible for protecting your company’s interests. Development, quality assurance, and regulatory affairs teams need to constantly monitor whether your company is or might become a business associate under HIPAA. If that happens, you need to ensure you’re empowering your teams to implement the proper workflows to handle PHI.

Chris Byers is CEO of Formstack. Questions and comments can be directed to 24×7 Magazine chief editor Keri Forsythe-Stephens at [email protected].