This book includes a plain text version that is designed for high accessibility. To use this version please follow this link.
● Think Tank

Pre-emptive strikes can

prevent big fi nes 7 questions to ask your business phone service providers about HIPAA compliance.

By Mike McAlpen | Executive Director of Security and Compliance, 8x8 Inc.


ould your company be fi ned for using a business phone service, fax system or call center system that doesn’t meet new privacy controls? It’s possible.

Many of those who are now violating the law don’t yet realize it. Even worse, lots of businesses could face compliance problems due to other business’ compliance problems.

New rules put many businesses at risk New regulations governing the protection of patient health information went into effect in 2013, and any grace period for enforcement has come to an end. These changes strengthened the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act, regulations designed to protect patient data from accidental or intentional disclosure. Now, any company that processes, stores or transmits personal health information directly or indirectly on behalf of a HIPAA-covered entity will fall under these newly expanded, stricter regulations.

Are you subject to HIPAA/HITECH now? A major recent change involves who is affected by HIPAA.

Before, the businesses most affected were primarily involved in providing medical services: hospitals, doctor’s offi ces and dentists, for example. Also, anyone involved in paying and processing insurance claim information was subject to the law. If you didn’t fall into one of these categories, you probably didn’t fall under the HIPAA regulations. But today, the list of companies that are affected


just gotten exponentially longer, expanding many of the requirements to business associates that receive protected health information, such as contractors and subcontractors. According to the Department of Health and Human Services, the term “business associates” now includes firms that “create, receive, maintain or transmit health information for other businesses covered by HIPAA, the HITECH Act and their regulations.” Doesn’t that sound like a telecommunications fi rm to you? Your choice of a communications provider could jeopardize your business’ compliance. That includes telecommunications providers, as well as thousands of businesses that thought they didn’t have medical privacy issues. And if your business associates are affected, you might be subject to the new rules, too.

What should business owners and manager ask their

communications services providers? Because fi nes can be steep – up to $1.5 million for egregious violators – lots of business owners are confused about what they need to do to ensure that they handle these issues well,

and that their “business associates” do, too. Here are some questions to ask representatives at the fi rms that provide your business phone service, fax services and call centers. 1. Are you a HIPAA-compliant business associate? Many companies aren’t, and having them as a business associate could risk your compliance if you use their services. 2. What steps has your company taken to ensure compliance? For telecommunications providers, compliance is an extensive, continuing process. Not only must they make sure their company complies, but they need to verify that their own circle of business associates is compliant. 3. Has your HIPAA compliance been assessed by independent

experts? It’s important to get actual third-party verifi cation, so that you don’t risk your fi rm’s compliance. Salespeople are often confused about the new rules themselves and could mislead you, so ask for third-party verifi cation. 4. Can your telecommunications fi rm (business phone service,

fax service, call center, Web conferencing provider, etc.) provide my business with a HIPAA Business Associate Agreement? Such an agreement attests that the issuing fi rm is handling HIPAA- covered information carefully and responsibly, and that it is “safe” to do business with the fi rm as a HIPAA-compliant business associate without jeopardizing your own compliance. In particular, “If you use a cloud-based service, it should be your business associate,” says David Holtzman of the U.S. Health and Human Services Offi ce for Civil Rights, Privacy Division. And, he adds, “If they refuse to sign, don’t use the service.” 5. Can the services that you provide my business be confi gured to be

HIPAA compliant? Some companies don’t even claim to provide compliant systems and warn customers away from relying on their services if compliance is needed. With a little digging (and these questions), you can fi nd out which business phone service companies have made HIPAA compliance a priority. 6. Can you recommend particular confi gurations of our system to help us comply? Providers that make compliance a priority can often supply you with expertise or suggestions to help you comply, and they’re more likely to have a compliance offi cer who can explain what you need to do. 7. Can your fi rm provide encryption for both “data in motion” and “data at rest”? When information, such as phone calls and faxes, is being sent, it’s subject to regulations for data in motion. And when data is stored (data at rest), such as in voicemail and faxes, it should also be encrypted for protection. Many service providers don’t offer both forms of encryption, but some do. Choose wisely for the best protection. Many businesses that are too small to support a compliance

offi cer or department are understandably intimidated by HIPAA compliance issues. But a few communications providers are increasingly shouldering more of the burden of compliance, so picking the right one is critical. One company using a HIPAA-compliant solution is ICANotes,

provider of a Web-based electronic healthcare records solution for psychiatrists and other behavioral health professionals. The company chose a HIPAA-compliant business VoIP solution for its business phone service and communications needs, in part because of the priority that the company places on HIPAA compliance. “We rely on business VoIP communications services to help us run our business effi ciently and securely,” says Jamie Morganstern, Operations Director at ICANotes. “With our HIPAA- compliant communications provider, we have safeguards in place to pledge the confi dentiality and integrity of the health information of our customers.” Your business can achieve HIPAA compliance, too. Asking smart questions goes a long way toward meeting that goal.

12 February 2014


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32