By Saud Juman
Recent cyberattacks on political organizations in the United States have highlighted threats that all institutions face regarding the security of confidential information. This is nowhere more significant than in the healthcare industry.
All health providers must maintain constant vigilance in protecting the most intimate information that exists regarding the lives of their patients, clients, and staff. Each and every organization has to build sophisticated firewalls against the prospect of breaches and leaks. But this is only the first step.
No medical company and facility can rest assured that the information it protects is safe as long as it maintains professional relationships via business associate agreements (BAAs) with other companies that might not have the same level of security in place. Much like medieval fortresses, you may be safe in your own, but unless you have a series of alliances with other castles, your territory may still be overrun through the weakest. Consequently, agreements among business allies must be made and maintained in this day and age with even firmer assurances of mutual security than feudal oaths.
Quest Imaging Solutions provides all major brands of surgical c-arms (new and refurbished) and carries a large inventory for purchase or rent. With over 20 years in the medical equipment business we can help you fulfill your equipment needs
So concerns about security across multiple entities are both age-old and immediate, and they are explicitly addressed in both HIPAA and state privacy laws regarding BAAs. What those laws mean is that every health care institution is ultimately responsible for the security of its information both within its own systems and facilities and in the systems and facilities of its business associates.
There should be no confusion about this. While no one can be sure how the new Trump administration might impact the Affordable Care Act, HIPAA privacy rules regarding BAAs are likely to remain in place, and these are quite clear about the responsibility of each hospital and health care institution to lock down personal health information (PHI) as well as making sure that all of its business associates do the same.
The terms of the HIPAA Privacy Rule are very explicit. “Covered entities” including “health plans, health care clearinghouses, and health care providers” may “disclose protected health information to business associates if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.” In addition, PHI can only be disclosed to a BA “to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate.”