Anyone who touches PHI must protect itIs it your responsibility to ensure that your clinic is HIPAA compliant? Is it the doctor’s responsibility? What if you’re the IT guy? Is HIPAA your duty? What if you are just a janitor at a healthcare organization?
The answer to all those questions is: every single person who interacts with patient health information in any way must protect it. That means if you:
- Talk to patients directly
- Give out prescriptions
- Take blood pressure
- Manage the firewall for a healthcare environment
- Manage a database that holds patient data
- Encrypt patient data on behalf a provider
Healthcare provider HIPAA responsibility for HIPAA violationsIf Protected Health Information (PHI) is compromised at a healthcare practice, the practice is always considered at fault. However, based on the violation, an employee (especially an executive level employee) may also be considered at fault and face serious consequences. If an employee was involved, healthcare employers hold some blame for not training employees properly.
SEE ALSO: How Healthcare Security Complacency is Killing Your Organization
According to the HHS, “Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules' requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information.”
Employer or employee ignorance is not accepted as a legitimate excuse in the HHS’ eyes. That’s one reason why workforce member training is so crucial to preventing compromise and HIPAA violations.
Employee HIPAA responsibilityEmployees are a crucial link in the healthcare compliance chain. If employees are weak (not adequately trained on security) they become a weak link that can easily be broken. Lazy and even, untrained healthcare employees are at the center of most HIPAA violations.
If they interact with Patient Health Information in any way, healthcare workforce members are legally bound to comply with HIPAA regulations concerning the security of Patient Health Information. If workforce members are directly responsible or even indirectly responsible for HIPAA violations, they can be penalized civilly.
Business associate HIPAA responsibilityWhen it comes to responsibility, third parties sometimes think they are exempt. Especially those who don’t classify themselves as “healthcare covered entities.” The problem is, the HHS does consider them legally bound to protect PHI. That’s why the HHS requires business associate agreements.
According to the HHS, “In addition to [business associate agreements], business associates are directly liable for compliance with certain provisions of the HIPAA Rules.”
But just because a business associate has signed a business associate agreement doesn’t mean they are exempt from anything that goes wrong with patient security. If data in the business associate’s possession is breached, they share equal responsibility with the healthcare provider.
See also: You Can’t Hide Behind a Business Associate Agreement
Read about business associates and HIPAA for more information on business associate responsibility.