As a Marketer, Should You Care About HIPAA?
In 2013, the U.S. Department of Health and Human Services released new regulations under the law known as HIPAA (The Health Insurance Portability and Accountability Act of 1996). HIPAA, and another law called HITECH, address the way health information must be secured and kept private. The laws are complex and I would not attempt to explain them here even if I thought I could. I am not an attorney, and I am not intending to give legal advice. However, I hope this post can help you determine if you or your clients are involved in work that could require HIPAA compliance.
Covered Entities and Business Associates
The term covered entity in the HIPAA rules refers to health care providers, health plans, and companies that process health claims, bill for health services, and services like that. A business associate is a person or organization that has access to private health information through conducting business with a covered entity. Further, the subcontractors of business associates may also be considered business associates if they have access to the protected information.
Could a Marketer or Marketing Agency be Considered a Business Associate Under HIPAA/HITECH?
In short, yes. A marketer or agency could be considered to be a business associate if:
you do business with an entity that is considered by HIPAA to be a covered entity or business associate
you are involved with the transmission or storage of protected health information, or
your marketing activities might involve access to protected health information.
For example, if a marketing agency or web development firm is hired by an entity covered by HIPAA to build a web site or app where health information is collected, and that agency or web developer has access to that private health information, then the company is likely considered to be a business associate under the law.
What is a Business Associate Agreement?
A business associate agreement is a contract that obligates a business associate to comply with HIPAA and HITECH regulations. Entities covered by HIPAA rules are required to execute a business associate agreement with all business associates they hire. It is also possible that your client may require you to sign a business associate agreement to do business with them, even if you do not currently have access to private health information. That business associate agreement will obligate you to be HIPAA compliant, whether or not you actually have access to private health information.
Is this a Big Deal?
Yes. If you are unsure whether the activities you are involved in as a marketer or web developer qualify you as a business associate, then you should seek legal counsel for a clear determination. If you are considered a business associate, or if you are required to sign a business associate agreement by a client, then there are at least two reasons why it’s a big deal:
To be a HIPAA compliant business associate is a significant undertaking. At Smooth Fusion, we spent literally hundreds of hours and thousands of dollars in research, risk assessments, policy creation and modification, security enhancements, training, etc. in order to be thoroughly compliant.
A business associate is potentially liable for civil and even criminal penalties for non-compliance with HIPAA regulations.
What’s a marketer to do?
All of this sounds like a pain and even a little frightening. As a marketer or agency, you want to be able to serve healthcare-related clients, whether it’s a healthcare provider, an insurance company, a nursing home, a pharmacy, or a healthcare clearinghouse. But becoming HIPAA compliant yourself involves a lot of time and resources and exposes you to liability. If your work involves any entities that deal with private health information, you should seek legal counsel to ensure that you are complying, even if your client has not asked you to sign a business associate agreement.
Additionally, when outsourcing the development, hosting, and maintenance of any web site or app that collects, processes, transmits, or stores protected health information, make sure you are outsourcing to a company prepared to execute a business associate agreement. But more than that, make sure you are outsourcing to a vendor who has actually implemented the security and privacy practices that will prevent a breach of data. Taking HIPAA seriously will protect your reputation, your client, and ultimately the individuals whose data you are striving to protect.
Smooth Fusion is custom web and mobile development company and leading Progress Sitefinity CMS Partner. We create functional, usable, secure, and elegant software while striving to make the process painless for our customers. We offer a set of core services that we’ve adapted and refined for more than 250 clients over our 17 years in business. We’ve completed more than 1700 projects across dozens of industries. To talk to us about your project or review our portfolio, send us a message and one of our project managers will reach out to you quickly.