September 23rd was a big day last year (2013). It was the day that HITECH privacy and security rules went into effect for the US Healthcare system. Not just healthcare providers and payers but their service providers must be HIPAA and HITECH compliant.
The new rules are from the Health Information Technology for Economic and Clinical Health (HITECH) Act, [pdf of Act] which was actually passed as part of the ARRA Recovery bill. These rules re-define what a Breach is; define what a Business Associate is; and explain how to be compliant on Privacy and Security.
One expert I spoke with, Tim Rearick at University of North Florida, said that these rules for privacy and security are nothing more than best practices for the industry that should have been in place already. Since many have not had to comply until now, many companies have not installed these practices, which include written policies and procedures; formal controls; and formal Disaster Recovery plans. The time, effort and expense to comply are nothing compared to the result of an audit by the Office of Civil Rights.
The Security rules were written to address every size organization, says Rearick, from the one-or-two physician office to Mayo Clinic and Blue Cross. The had to be generic, technology neutral and scalable - and they had to be non-specific because technology changes fast.
What does this mean for you?
As a service provider, of efax, voicemail, data storage, or even file-sharing (like Sharepoint), you will need to be compliant with the HIPAA and HITECH rules plus supply a Business Associate Agreement to the healthcare company.
Huh? Why? eFax stores the document before it makes it a PDF - and usually after as well. Sharepoint and any document file-share or data storage service can have electronic PHI (protected health information). Voicemail also can contain ePHI. As a provider of such services, you have to be compliant and supply the healthcare org with a BA Agreement, that spells out the role and responsibilities of each party. HITECH extended this privacy and security responsibility to all service providers.
If you have questions, I suggest you speak with a healthcare compliance officer or a HIPAA expert.
Some good info: HealthIT.gov
HIPAA Survival Guide video