In 2009, the U.S. Congress passed The Health Information Technology for Economic and Clinical Health (HITECH) Act as part of the American Recovery and Reinvestment Act. Congress recognized that technology can have a significant positive impact on healthcare outcomes, but when healthcare information is spread across disparate systems – many of them still manual – progress is stymied. As such, the act seeks to promote the ‘adoption and meaningful use of health information technology.’
Since HIPAA and HITECH were designed to work in concert, the security recommendations in this article apply to both HIPAA and HITECH compliance unless otherwise noted.
As healthtech becomes more prevalent and healthcare providers store/access more Protected Health Information (PHI) online, more types of organizations than ever are brushing up against the need to ensure HIPAA/HITECH compliance.
To help you figure out where you fit into the picture, we thought we’d give a quick rundown on how the HHS (The U.S. Department of Health and Human Services) currently views different types of entities under HIPAA/HITECH.
Note: As much as we’d love to give you definitive answers on how HIPAA/HITECH applies to you, when determining your HIPAA/HITECH liability, you should always consult qualified legal counsel.
Covered Entities – These businesses are the healthcare organizations at the core of the regulation. They include anyone from your doctor to your dentist to your pharmacy. In addition, health insurance carriers and independent health plan providers are considered covered entities under HIPAA and HITECH.
One way to determine whether or not your organization would be considered a Covered Entity is to look to the original definition in HIPAA: (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Generally, these transactions concern billing and payment for services or insurance coverage.
The Center for Medicaid and Medicare Services also put out a handy flow chart for determining if you are a covered entity. Basically, if you provide services involving the billing and payment of healthcare-related activities and you transmit that information electronically, you are a covered entity.
Employers – Here’s where things get a little murkier. A healthy workforce is a productive one, so many employers are getting into the act by providing wellness programs, healthcare reimbursement accounts, on-site clinics, etc. Any one of these could earn you ‘covered entity’ status under HIPAA/HITECH, especially if you’re managing the data yourself and sharing it electronically with other healthcare providers.
The same is true if you are administering a self-funded insurance program because you are acting as an insurance carrier – and they are a covered entity. It’s also true even if you farm the processing of claims and such to a third party. In that scenario, you are most likely they covered entity, and the third-party processor would be a Business Associate. (see TPA in the Business Associate categories below.)
On the other hand, if you’re just storing standard HR information such as high-level notes on an employee’s medical leave, you probably aren’t covered by HIPAA/HITECH. (Though you may be obligated to secure these records for ethical as well as other regulatory reasons.)
We have a number of customers in the manufacturing industry that provide medical assistance, e.g., a full-time nurse on-site in case of accidents. The details of their arrangements differ as does their need to comply with HIPAA/HITECH, but every one of them has asked us to help them ensure compliance. Maintaining HIPAA/HITECH compliance helps them mitigate their risks, and it’s the right thing to do.
Business Associates – HHS defines a Business Associate as “person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”
Here are some common types of Business Associates.
- Managed Service Providers (MSP). As an MSP, Connectria would be considered a Business Associate because we provide services such as hosting and disaster recovery that involve electronic forms of PHI. Even if we didn’t provide compliance services, we would still be considered a Business Associate under HIPAA/HITECH. Read: What MSPs Need to Know About the New Ruling on Business Associate Liability for HIPPA/HITECH Non-Compliance. (insert link if available when this posts, otherwise delete the last sentence.)
- SaaS Application Developers. If you provide SaaS-based solutions for the healthcare industry, chances are you would also be considered a Business Associate under HIPAA/HITECH. This remains the case even if you subcontract your cloud management needs out to a third-party service provider like Connectria. Some of the most frequent discussions I see on social media revolve around whether applications like Salesforce and Dropbox are/can be made HIPAA/HITECH compliant.
- Third-Party Administrators (TPAs). This would be someone who processes information such as employee benefits claims on your behalf, provided they don’t themselves provide healthcare coverage. (If they do, that puts them in the category of Covered Entity.)
- Wearable Healthtech Manufacturers. Here again, things can get kind of murky. For example, just because a wearable technology manufacturer allows their device to be used to collect information such as heart rate, blood pressure, and activity levels, that doesn’t necessarily mean they are required to comply with HIPAA/HITECH.
If the data collected is only for the consumer’s personal use and the wearable tech manufacturer isn’t under contract to provide the information to the consumer’s doctor or insurance carrier, they probably aren’t. But, if the device manufacturer were to enter into a more formal relationship with their health plan administrator, medical service provider, or some other covered entity, they quickly become a Business Associate.
Again, we defer to your legal counsel, but the HHS has also released guidance on health app scenarios, which may be useful for both device manufacturers and SaaS developers.
With the rise in healthtech and the need to share information electronically, our managed cloud service business includes almost as many customers who are SaaS developers of apps as it does actual covered entities. These developers have an idea they want to bring to market, and they don’t want to get bogged down in the ins and outs of HIPAA/HITECH compliance.
As Brad Reimer, the CIO of DocuTAP, put it, “We knew that once we committed to a public cloud, the provider would need a healthy partner ecosystem we could choose from to help manage the cloud in a secure manner, according to HIPAA/ HITECH compliance regulations. This was something we did not want to manage on our own.” Read the full case study.
If you are (or think you might be) required by law to comply with the HIPAA/HITECH privacy rules for electronic PHI, you can get in touch with us here. We’d love to work with you and your legal team to help you create a solution that ensures compliance and the security of your systems and data.