HIPAA, how your company becomes compliant
Companies that work with US health data must be “HIPAA compliant.” This is not limited to those based in the USA, but to all companies and subcontractors that come into contact with it.
In the following, we want to explain what HIPAA is, what “HIPAA compliant” means, and of course how we can help you achieve this status!
What is HIPAA?
HIPAA, short for the Health Insurance Portability and Accountability Act of 1996, is a U.S. law that regulates the handling of protected patient data (PHI, Protected Health Information). PHI is all data that concerns individual entities in a medical context. HIPAA is divided into 5 parts:
- Privacy Rule: Refers primarily to the rights of patients with regard to the handling of their data.
- Security Rule: Refers to the technical handling of data and its appropriate protection.
- Enforcement Rule: Refers to the conduct of investigations to check compliance. These can be carried out at the discretion of the authority.
- Breach Notification Rule: Dealing with data breaches.
- Omnibus Rule: A tightening of existing rules that primarily applies to business associates. (Not listed as a separate rule, but included in the text of the law)
It primarily imposes obligations on the following institutions in the USA and their worldwide “business associates”, i.e. their business partners, including those outside the USA:
- Health Plans (health insurance companies)
- Health Care Providers (hospitals, doctors and all other providers of health services)
- Health Care Clearinghouses (companies that handle data exchange between the above-mentioned entities and patients)
Does HIPAA affect me?
Yes, provided you have a business relationship with one of the above-mentioned US institutions and come into contact with protected patient data in the course of this business relationship. You are therefore considered a “business associate” and must also meet the requirements.
In this case, companies from the USA will ask about your “HIPAA compliance” during contract negotiations.
The only exception to this is if you are in a business relationship but never come into contact with the protected patient data, for example if you only supply software that is operated by the customer themselves. However, even in this case it is required that the software does not endanger the entity’s HIPAA compliance, for example through weak encryption.
It is also important that HIPAA compliance is required “transitively”. This means: If your company supplies a US entity for a business associate, you must also be HIPAA compliant and all of your suppliers who come into contact with health data, for example the cloud provider on which your servers run, must also be HIPAA compliant.
How do I become HIPAA compliant?
HIPAA compliance is self-declared. In principle, you can claim to be HIPAA compliant at any time. However, especially in the case of negligent behavior, fines amounting to millions are on the horizon, not to mention that any good reputation would be lost due to the loss of sensitive data.
Basically, you must be able to prove, also with appropriate documentation, that you are complying with the requirements of the law “in good faith”.
A certification according to ISO27001 is always a solid basis for this, but it is generally not considered sufficient to meet all requirements.
What we do for you
If your company needs to demonstrate HIPAA compliance, we are at your side and offer the following services:
HIPAA Workshop
In a workshop, we will introduce you and your employees to HIPAA and the associated requirements for your company processes and IT security. We will give you an overview of the effects on your company, on your processes, and on your obligations in relation to your suppliers.
HIPAA GAP Analysis
In a structured workshop, we compare the current status of your documentation and processes with the requirements of HIPAA. Based on the identified gaps, you can either achieve the required status on your own, or we can provide you with further support.
Support in achieving compliance
If you need more support in implementing the requirements of HIPAA in your company, we are also available to provide you with tailored offers and accompany you step by step on your journey until you can confidently announce your HIPAA compliance and sign your first “Business Associate Contract”.
We would be happy to have a non-binding discussion with you!
Contact us at office@certitude.consulting