Several recent blog entries have spotlighted retailers and compliance with the Payment Card Industry Data Security Standard (PCI DSS). But given a few developments when it comes to another set of rules for another vertical market—the Health Insurance Portability and Accountability Act (HIPAA), which applies to healthcare providers and their business associates—let’s turn our attention there.
According to the Healthcare Information and Management Systems Society (HIMSS), mobile app developers in the healthcare space (which assumedly includes MSPs with a healthcare focus) have periodically encountered challenges in determining how various laws and rules, including HIPAA, apply to their products. Hospitals and other healthcare providers, which sometimes develop their own mobile apps with or without assistance from MSPs, have had similar problems. To address this issue, the federal Department of Health and Human Services Office of Civil Rights (OCR) now maintains a website where app developers can anonymously ask questions and OCR, as well as members of the public, can answer.
HIMSS and the OCR have emphasized that posting questions to the site will not result in enforcement action if an app is already developed and is not HIPAA-compliant. Rather, the site is intended to serve as a resource and promote dialogue. As such, it includes a document in which hypothetical scenarios that might apply to various app designs are presented, along with analyses of how HIPAA may apply to each one. Additionally, the Federal Trade Commission (FTC) has developed an interactive decision tool for mobile health apps. The tool can help mobile app developers to determine whether HIPAA—as well as the Federal Food, Drug, and Cosmetic Act; the Federal Trade Commission Act; and FTC’s Health Breach Notification Rule may apply to their products.
Meanwhile, it’s been six months since the inception of Phase 2 of the HIPAA privacy, security and breach notification rules audit program. However, some healthcare entities and their business associates still haven’t gotten with the program when it comes to preparing for audits. OCR has been sending letters to providers and other covered entities to request updated contact information that will enable the agency to more effectively communicate with them should they be selected for an audit under the umbrella of the new program. One proviso to keep in mind and share with clients: Contrary to what anyone may assume about “hiding” from OCR by failing to respond to a request for updated contact info, doing so won’t exempt hospitals or other covered entities from being included in the audit program.
Also important to know: the OCR is using a wide net to select for auditing a broad spectrum of covered entities and business associates of various sizes and types, and from various locations. Audits are being conducted on site and through desk review. Covered entities should be prepared to share with the OCR a list of business associates, which then could become potential audit targets (MSPs, that’s probably you). The window for responding to audit requests is 10 business days; final audit reports are completed within 30 business days after responses are received. The OCR may, based on the results of individual audits, initiate a compliance review, which in turn may or may not result in enforcement action.
Moreover, OCR has devised a revamped and updated audit protocol that applies to both business associates and covered entities. The protocol encompasses performance criteria for specific provisions of the HIPAA regulations, and includes specific questions auditors may ask and documents that may be requested during the audit process.
Precautions and preparations notwithstanding, HIPAA compliance is a moving target. Savvy MSPs and their equally savvy clients should consider adhering to rules that govern the audit process and leveraging the abovementioned tools and protocols to assess their current state of compliance and ward off trouble down the road.