Does HIPAA only matter for Medical Practices (Covered Entities)? What if you are a lawyer, collections firm or run a cleaning service; should HIPAA matter to you?
The answer is yes! With the HIPAA Omnibus Final Rule from January 2013, not only do Medical Facilities have stricter requirements, but their Business Associates are now required to be as COMPLAINT AS THEY ARE!
But you say that you are not involved in Health Care at all! Well, if you are involved in Medical Malpractice or Personal Injury Law, if you clean medical offices, shred their documents, install and service their copiers, etc… and can run across personal health information; you are now subject to the same civil and criminal penalties as your health care clients!
This means that you must have a HIPAA Security Officer and a HIPAA Policies and Procedures Manual that you actually abide by. You have to train your staff regarding the need to keep information confidential. You may think that this is pretty onerous, but wait there is more! Not only do you as the vendor have to sign a Business Associate (BA) agreement and abide by the HIPAA security rules, but you now have to have your vendors sign a subcontractor BA agreement agreeing to the same thing!
The biggest problem with the HIPAA changes that go into effect on September 23, 2013 are that if you are not willing to be on the hook for HIPAA Civil and Criminal penalties, then you can’t do business with Covered Entities and the same goes for your vendors. For many this is going to be a business decision. Each business owner must decide if the amount of business they have with covered entities justifies the risk and expense of their own compliance and if they are willing to dump long standing business relationships with their own vendors that are unwilling to comply with the new rules.