Does Working with a HIPAA Compliant Vendor Make You HIPAA Compliant?
In a word, “no.” Unfortunately, you may be working with a HIPAA compliant vendor, such as a texting service, email provider, video platform or even EHR platforms, but that’s just a start. Your whole practice must be HIPAA compliant, and not just your vendor. HIPAA requires that health care practitioners, such as behavioral health professionals, address the full extent of the regulatory requirements.
Understanding how your practice or behavioral health organization fits into HIPAA regulatory requirements is your first step toward guarding against HIPAA violations and fines.
Behavioral Health Professionals are Covered Entities
HIPAA regulation defines a covered entity as any health care provider, clearinghouse, or insurance company involved in the transmission of protected health information (PHI). PHI is any demographic information that can be used to identify a patient. Common examples of PHI can include a patient’s name, address, phone number, email, Social Security number, financial information, medical record, or full facial photo, to name a few.
Here’s an example to help illustrate why merely working with HIPAA compliant vendors won’t make you HIPAA compliant:
Let’s say your practice is using a HIPAA compliant texting app to transmit data about appointment reminders to clients/patients. If your practice doesn’t have a HIPAA compliance program in place, then there won’t be any documented safeguards in place describing the kind of data that can and can’t be sent. According to HIPAA, your client/patient communication standards must be thoroughly outlined, defined, and limited within your organization’s HIPAA policies. Additionally, employee HIPAA training on these policies must be in place to ensure that you and any staff members adhere to regulatory safeguards. Depending on the complexity of your organization, these requirements can sometimes be met with simple statements, but they must be in writing, and updated regualrly (usually annually). And finally, HIPAA requires that Business Associate Agreements be executed with all vendors, regardless of the status of their HIPAA compliance in order to safeguard PHI being transmitted between parties.
Though it’s possible to use software or apps without your own HIPAA compliance program in place, but your practice can and likely will be held fully liable if a HIPAA violation arises from a mis-sent text message or data breach.
The fine schedule for HIPAA violations ranges from $100-$50,000 per incident, based on the level of perceived negligence. That means that the more robust your organization’s compliance program is, the less you can potentially be fined. HIPAA investigators realize that violations can and will occur, but adherence to your obligations under the regulation can significantly limit your exposure to financial liability.
Compliancy Group gives behavioral health professionals confidence in their HIPAA compliance with The Guard®. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance.
Compliancy Group’s team of expert Compliance Coaches® field questions and guide users through the implementation process, taking the stress out of managing compliance. The Guard is built to address the full extent of HIPAA regulation, including full vendor management and Business Associate Agreements.
With The Guard, behavioral health professionals can focus on running their practice while keeping their patients’ data protected and secure.
Find out more about how Compliancy Group and the HIPAA Seal of Compliance® can help simplify your HIPAA compliance today!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.