Healthcare in the Age of Data
Making Sure Your Contractors Meet HIPAA and HITECH Security Requirements

One of your HIPAA security requirements is to make sure all your contractors (sometimes called business associates or BAs) are following HIPAA New browser window icon. and HITECH New browser window icon. requirements.

HITECH actually holds BAs accountable for data breaches, meaning it can fine them millions of dollars for a breach caused by their negligence. But that doesn't let you off the hook. If you don't take adequate steps to be sure BAs are HIPAA compliant, the Department of Health and Human Services can also fine you.

To help you avoid miscommunications with contractors and potential HIPAA fines, let's go over…

  • Which business associates / contractors fall under HIPAA privacy rules.
  • How to make sure BAs follow HITECH and HIPAA regulations.
  • What to do if there's a breach involving data that was transferred to a BA.
Who Falls Under HIPAA & HITECH's Business Associate Rules?

Who Falls Under HIPAA & HITECH's Business Associate Rules?

HIPAA and HITECH require your business associates to follow the same rules that you do (see our list of HIPAA privacy requirements). But which businesses qualify as a "business associate"? Any one that has access to protected health information (PHI) will have to be HIPAA compliant. This includes…

  • Part-time contractors who work at your office.
  • CPA firms / accountants.
  • Attorneys with access to PHI.
  • Medical billing firms.
  • Medical transcriptionists.
  • IT consultants.

If you hire any of the contractors listed above, you'll have to make sufficient efforts to ensure that they follow HIPAA and HITECH privacy rules. Here's what you'll need to do.

How to Make Sure Business Associates Are HIPAA Compliant

How to Make Sure Business Associates Are HIPAA Compliant

The Department of Health and Human Services offers these HIPAA guidelines for business associates New browser window icon.. When you hire a BA, you're allowed to share your patients' PHI as long as the business associate needs these records to do his job. For instance, if you're sending data to your accountant, you can only send billing-related information. If the transmitted data included medical records, this would be a violation of HIPAA privacy rules.

Before you can share data, you'll need to make sure the BA has taken adequate steps to protect that data and prevent breaches. To do so, use a business associates contract and get these assurances in writing.

What's in a business associates contract? Read over this sample business associate contract provisions New browser window icon. from HHS. The contract specifically defines how the BA can use the data you share and the safeguards they need to have in place.

What Happens If There's a Data Breach When You Share Data with a Business Associate?

What Happens If There's a Data Breach When You Share Data with a Business Associate?

Even after taking all the correct precautions, data breaches can still happen. In fact, third-party data breaches — ones that occur because of a contractor who has access to your data — are one of the most common types of data breach.

Because breaches are always a risk, it's smart to invest in Data Breach Insurance (also known as Cyber Liability Insurance). These policies cover the cost to…

  • Inform patients about a data breach (HIPAA also requires that you inform HHS and the media for breaches of more than 500 records).
  • Offer credit monitoring for patients affected.
  • Hire PR / crisis management professionals to help in your response (this is important because HIPAA also requires you to inform the media of breaches).

In addition, some Cyber Liability Insurance policies also cover HIPAA fines. While not all policies offer this coverage, small healthcare businesses are most likely to get this coverage.

Customer Rating 4.9 out of 5
Read Customer Reviews

Grab-n-Go Information

Free eBook
HIPAA, Social Media, and Technology: A Guide for Mental Health Professionals
Browse eBook
Sample certificates
See a sample Certificate of Liability Insurance, the proof of coverage you need for most contracts.
View Sample
Sample Quotes & Cost Estimates
See what insurance really costs: actual quotes by policy & specialty.
Get Estimates
Ask A Question
Submit your questions about small business insurance and get answers from our experts.
Read Answers