Health Care and IT: Taming HIPAA

Computerworld - IT innovation has been a steadily increasing presence in the health care profession. The digitization of health care information has meant quick and flexible access to data, making health care professionals more effective and improving patient care. From patient-doctor secure messaging to the use of IT outsourcing by hospitals, vendors are everywhere offering ways to ease the lives of doctors and patients alike.

However, as with any expanding trend, there are growing pains. In the medical field, the apparent complexity of the do's and don'ts of using patient information has become an increasing cause of concern among physicians and their IT vendors. The perceived density of the Health Insurance Portability and Accountability Act of 1996 and its related regulations has contributed to this concern. When the acronym "HIPAA" is used, eyes roll and then glaze over.

Nevertheless, growing pains related to HIPAA can be managed effectively once isolated and explained.

The Business Associate Agreement

Let's take as an example one of the best practices of the HIPAA era: the business associate agreement. The principal purpose of a business associate agreement is to ensure that the IT vendor uses certain safeguards for health information protected under HIPAA. It is recommended that IT vendors and health care companies enter into business associate agreements.

Some of the key provisions of a good business associate agreement are that the IT vendor will:

• Use commercially reasonable efforts to maintain the security of patient information and to prevent unauthorized use or disclosure of such information.



• Implement administrative, physical and technical safeguards that protect the confidentiality, integrity and availability of electronic protected health information that it creates, receives, maintains or transmits on behalf of the health care provider.



• Report to the hospital breaches of security of electronic patient information of which the IT vendor becomes aware.

• Maintains sufficient information to permit an accounting of prior disclosure of sensitive information.



• Makes available all books and records relating to the use, disclosure and safeguarding of patient information to the government for purposes of determining its compliance with HIPAA.



• Returns or destroys, as feasible, patient information within its possession upon termination of the agreement. (The protections of the agreement apply until the information is returned or destroyed.)



• Ensures that any subcontractors or agents to whom it provides protected information agree to the same restrictions as above.