At the end of October, we like to turn to scary things: ghosts, goblins, witches and catastrophic business problems that can come from being out of compliance with state and federal law.

(OK, we made the last one up, but it IS pretty scary!)

For many businesses in Connecticut and across the country, compliance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996 is mandatory. HIPAA is a complex set of regulations that were created primarily to protect sensitive patient information in the digital age.

For healthcare providers, insurance companies and other health-related entities, HIPAA compliance is a huge challenge. Even companies that consider themselves well-educated about HIPAA frequently run into unpleasant and downright scary facts, such as:

Scary Fact #1: HIPAA Requires Periodic Data Recovery Testing

Although most businesses that must follow HIPAA regulations know that they need to establish appropriate data backup practices, many overlook 45 CFR 164.308(a)(7) of HIPAA, which requires periodic data recovery testing. Covered entities are required to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of protected health information, and they need to be doing this on a regular basis, including regular testing of their data recovery process. So, if you haven’t implemented procedures for periodic testing and revision of contingency plans, now is the time.

Scary Fact #2: There Are Few Tech Standards for “HIPAA Compliant” Solutions

Today, many businesses use software-as-a-service (SaaS) based solutions for the management of healthcare. Many of these cloud-based solutions will claim to be compliant with HIPAA. But the truth is that HIPAA is a set of rules and best practices, but it makes little reference to technical specifications required for hardware, software or security. It also doesn’t have a certifying government body. So if your solution provider promises HIPAA compliance or waves a certificate around, you need to look deeper to ensure that this is indeed the case.

Scary Fact #3: Healthcare Business Associates Must Also Be HIPAA-compliant

It is not just medical offices, healthcare practitioners and insurance companies that are required to be HIPAA-compliant. Any other business that has access, electronic or otherwise, to protected health information is also required by law to be HIPAA-compliant. If any patient health information is used in your accounting practice (internally or with an outsourced firm) or your call center – even if you’re using a business process outsourcing company — those processes and technologies must also be HIPAA compliant.

Get Managed IT Services

ASG Information Technologies, a Connecticut-based IT managed services provider, can help you ensure you’re meeting all regulatory rules when it comes to HIPAA. We will monitor your IT with hawk-like vigilance to identify and eliminate IT issues such as regulatory compliance before they manifest into real problems. For more information, call us at 203-440-4413 or visit our website.