Does Working with a HIPAA Compliant Vendor Make You HIPAA Compliant?
In a word, “no.” Unfortunately, you may be working with a HIPAA compliant vendor, such as a texting service, email provider, video platform or even EHR platforms, but that’s just a start. Your whole practice must be HIPAA compliant, and not just your vendor. HIPAA requires that health care practitioners, such as behavioral health professionals, address the full extent of the regulatory requirements.
Understanding how your practice or behavioral health organization fits into HIPAA regulatory requirements is your first step toward guarding against HIPAA violations and fines.
Behavioral Health Professionals are Covered Entities
HIPAA regulation defines a covered entity as any health care provider, clearinghouse, or insurance company involved in the transmission of protected health information (PHI). PHI is any demographic information that can be used to identify a patient. Common examples of PHI can include a patient’s name, address, phone number, email, Social Security number, financial information, medical record, or full facial photo, to name a few.
Here’s an example to help illustrate why merely working with HIPAA compliant vendors won’t make you HIPAA compliant:
Let’s say your practice is using a HIPAA compliant texting app to transmit data about appointment reminders to clients/patients. If your practice doesn’t have a HIPAA compliance program in place, then there won’t be any documented safeguards in place describing the kind of data that can and can’t be sent. According to HIPAA, your client/patient communication standards must be thoroughly outlined, defined, and limited within your organization’s HIPAA policies. Additionally, employee HIPAA training on these policies must be in place to ensure that you and any staff members adhere to regulatory safeguards. Depending on the complexity of your organization, these requirements can sometimes be met with simple statements, but they must be in writing, and updated regualrly (usually annually). And finally, HIPAA requires that Business Associate Agreements be executed with all HIPAA compliant vendors, regardless of the status of their HIPAA compliance in order to safeguard PHI being transmitted between parties.
Though it’s possible to use software or apps without your own HIPAA compliance program in place, but your practice can and likely will be held fully liable if a HIPAA violation arises from a mis-sent text message or data breach.
The fine schedule for HIPAA violations ranges from $100-$50,000 per incident, based on the level of perceived negligence. That means that the more robust your organization’s compliance program is, the less you can potentially be fined. HIPAA investigators realize that violations can and will occur, but adherence to your obligations under the regulation can significantly limit your exposure to financial liability.