The Health Insurance Portability and Accountability Act (HIPAA) makes it easier for workers to get and keep health insurance coverage, but it also adds several layers of complicated regulations to insurance agreements. This is especially true as the methods of communication and information storage evolve in health care and business marketplaces. Before you sign a coverage agreement with a HIPAA-compliant provider, you should look into the specifics of how they operate, so you can avoid expensive problems and breaches of security.
Is the Provider 100% HIPAA Compliant?
Image via Wikimedia Commons by Compliance and Safety LLC
While it’s almost certain that hosting companies for health insurance providers are regularly audited for HIPAA compliance, some aspects of the provider’s information transmission and storage procedures may go unchecked. Many providers are still in the process of adopting cloud storage techniques for customer information, so not all providers submit this virtual data to HIPAA audits.
In addition to standard HIPAA compliance, inquire into your provider’s understanding of the Health Information Technology for Economic and Clinical Health (HITECH) Act. HITECH ensures comprehensive compliance, even for information stored using new methods that may otherwise be vulnerable to data mismanagement.
Does the Provider Accept Independent Audits?
Any health insurance hosting provider that claims confirmed HIPAA compliance should be happy to allow an independent audit of compliance by a third party. If you want to send in your own auditor to determine compliance, your hosting provider should be happy to allow a full examination of their practices.
A provider that doesn’t allow independent audits or only allows partial audits by an auditor of your choosing may not be truly HIPAA compliant. As with your initial inquiry into the provider’s compliance, any independent audit should include both standard practices and any HIPAA hosting systems they employ.
What Privacy Procedures Do You Use for PHI?
Image via Wikimedia Commons by Phillipe Belet
One of the most important aspects of HIPAA compliance is the confidentiality of Protected Health Information. PHI includes a patient’s medical treatment documentation, payment history, identification records, and other sensitive information. All hosting providers that are compliant with HIPAA and HITECH should have concrete procedures in place to keep PHI secure. This includes:
- A private firewall with Virtual Private Network (VPN) protection
- Standardized data encryption of PHI
- Separation of information across multiple databases
What is Covered by the Provider’s BAA?
A Business Associate Agreement (BAA) is an indispensable part of any insurance coverage contract. The BAA should specifically outline that PHI is protected, how it is protected, and how the provider responds to breaches of data privacy. This not only puts these protections in writing, it also demonstrates that a provider understands the full extent of their responsibilities and how to fulfill them. Without a BAA and the readiness it describes, PHI is at risk from breaches from multiple sources within the provider’s company, by their competitors, and through any subcontractors they employ.
HIPAA-compliant health insurance providers face a complex series of regulations amid a changing technological landscape. For businesses and health care providers, the best insurance hosting providers are the ones that demonstrate a thorough understanding of their responsibilities and the methods necessary to keep PHI secure.