Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Health data privacy regulations impacting a wide range of industries

Navigating health data privacy compliance requirements is proving complicated for HIPAA business associates and other non-healthcare industries.

Privacy has become a critical area of concern for a variety of organizations, as numerous industries must now comply...

with data protection regulations. This is especially true of the healthcare industry and protected health information (PHI). Compliance with health data privacy regulations has become critical to many businesses' survival because of the potential fines and consequences stemming from HIPAA violations. Now, there is a whole new group of organizations that must navigate the HIPAA compliance waters.

The HITECH Act has broadened the responsibilities described in Title II of HIPAA, known as the Administrative Simplification Provision, and added business associates to the list of those who are directly responsible for HIPAA compliance. According to the Department of Health and Human Services, a business associate "is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity." Under HIPAA, covered entities are defined as any health plan, healthcare clearinghouse or healthcare provider that electronically transmits health information. To maintain HIPAA compliance, these covered entities must meet health data privacy standards adopted by the U.S. Department of Health and Human Services.

These HIPAA changes now make business associates vulnerable to the same monetary fines for noncompliance that are applied to covered entities. This means the Office of Civil Rights can now conduct audits and administer penalties to both business associates and covered entities, and can increase the size of the penalties for noncompliance based on the degree of negligence. In order to avoid this, these business associates -- even if not directly involved in healthcare -- must now ensure HIPAA compliance.

Verifying HIPAA compliance relies on the ability to conduct audits and proactively gather intelligence. These audits are a long-term, ongoing process that can be assisted by using online tools meant to help remain compliant with particular laws or regulations. For example, the Administrative Simplification Enforcement Tool (ASET) is a Web-based application created by the U.S. Center for Medicaid Services (CMS). The application enables individuals or organizations to file a HIPAA complaint against a healthcare provider, health plan or clearinghouse -- or any "covered entity" -- for potential non-compliance with HIPAA privacy and security provisions.

Business associates should also remember that compliance with healthcare regulations may also change the way their organization conducts operations. Data protection budgets may need to be increased to meet the demands of new compliance regulations. Of course, there are usually conflicts or divergent goals within organizations when the group that is responsible for spending more on security and compliance requests more money from the group responsible for reducing spending and controlling the budget.

Security and privacy assurance is made even more complicated by businesses increased demand for universal access to information, and to access that data quickly. There have been numerous international efforts to protect consumer data: HIPAA, the HITECH Act, the European Commission's Data Protection Directive and the European Commission's General Data Protection Regulation (GDPR) are all very strict data privacy compliance regulations that now require much more of an organization's budget in order to comply.

Avoiding legal complications by ensuring compliance with laws and regulations -- especially those concerning the collection, sharing and processing of personal data -- is crucial and requires thorough planning. However, sometimes compliance efforts are not immediately practical. In these cases, a safe harbor status can be obtained, which is a set of "good faith" conditions that, if met, can temporarily protect an organization from the non-compliance penalties. For example, the Texas Covered Entity Privacy and Security Certification Program is a voluntary certification program that incorporates state and federal privacy regulations to allow Texas-based covered entities to demonstrate health data protection compliance. The goal of the program is to help these covered entities "reduce regulatory penalties, manage risk and increase confidence" in their health information protection efforts.

Healthcare industry compliance requirements are forcing a profound adjustment to the way many organizations conduct business. The trend is only going to be compounded by the fact that healthcare is also one of the fastest growing industries in the world. As the reach of the healthcare industry continues to expand, the strict compliance regulations that come with working with health agencies pose a daunting challenge for organizations with limited resources. Vendors and any other organization that are considered to be HIPAA "business associates" -- or one whose daily practices include handling some form of healthcare information -- need to be aware of their own compliance and regulatory risks and obligations, or risk being fined for noncompliance.

About the author:
Daniel Allen is a Research Fellow at the Center for Climate and Security, where he focuses on the intersection of strategies for cybersecurity and climate change security risks. He is also President of N2 Cyber Security Consultants, LLC, and has worked as a research scientist for the Naval Health Research Center/ Medical Resource Planning, and is a U.S. Army/Desert Storm veteran and a high school science and climatology instructor. He holds a Master's Degree in Cyber Security and Information Assurance from National University, designated by the National Security Agency and the Department of Homeland Security as a "National Center of Academic Excellence in Information Assurance Education."

Next Steps

FAQs about how the HITECH Act impacts IT operations

Key questions to ask potential business associates

Compliance officers benefit from business associate audits

More tips for avoiding HIPAA violation fines

This was last published in February 2015

Dig Deeper on HIPAA and other healthcare compliance requirements



Find more PRO+ content and other member only offers, here.

Join the conversation


Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Is your business considered a business associate? If so, what do you do to avoid HIPAA violations?
Yes, my firm is considered a business associate. We avoid violation of HIPAA by first, performing and documenting security risk assessments to our electronic PHI information systems. Secondly, we are implementing specific administration, technical, as well as physical precautions as a way of protecting our integrity, confidentiality, and availability in relation to electronic PHI. Thirdly, we only work with companies that have agreements which allow us to maintain our PHI privacy.
It sounds like the processes needed to protect PHI and remain HIPAA compliant are just good data security practices for all modern companies. As data protection and privacy assurance becomes a concern for every industry, the steps taken by business associates to secure PHI under HIPAA should at least be considered by other companies looking for strategies to protect their customers' information.
I'm not a business owner or associate, but it's incredibly easy to see how inconvenient these regulations are to follow and implement for.