In your job as a marketing professional within a hospital or health system, you work with a variety of business partners: ad agencies, digital firms, photographers, videographers, copywriters, health IT vendors and more. The HIPAA Privacy Rule allows covered providers to disclose protected health information to these “business associates” if you first obtain satisfactory assurances in writing that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule. To document that understanding, healthcare organizations are required to have each of those partner firms sign a Business Associate Agreement. (I borrowed most of this language directly from HHS.gov – a great source for HIPAA information). Within the Business Associate Agreement, your business partners will need to attest that their organization understands what it means to be HIPAA Compliant and uses HIPAA Compliant Practices to safeguard PHI.
HHS and OCR (Office of Civil Rights) do not endorse any private consultants’ or education providers’ seminars, materials or systems, and do not certify any persons or products as “HIPAA compliant.” Companies like mine can turn to third party specialists to receive training and certification, but no organization can be certified HIPAA compliant by HHS. What is essential is that your business partners can demonstrate and document the fact that they use HIPAA compliant practices in handling private health information and that this is part of their everyday operation. It is not enough to understand HIPAA; and business partner must formally adopt specific practices.
With that in mind, I have two questions for you:
Is your agency or video production company using HIPAA compliant practices?
Have your business partners signed Business Associate Agreements with your organization? If they have not signed a Business Associate Agreement and you are allowing them to have access to patient stories, video, photographs and other private health information, you are not in compliance with HIPAA. Again, this applies to photographers, videographers, copywriters, marketing firms and advertising agencies.
Here are a few easy ways you can tell if your marketing firm is a HIPAA Compliant Organization:
- When you visit their agency, is facility security apparent? Is there a Log Book where all visitors must sign in and sign out?
- Do they have a HIPAA Compliance Certificate posted in their facility? This would demonstrate that they’ve hired a third party data security specialist to conduct a risk assessment, oversee the development of HIPAA compliant practices, and train their staff in HIPAA security awareness.
- Do they have a Notification of Privacy Practices published on their website?
- Do their email messages include a Confidentiality Notice below the main message?
- Do they have all of their vendors and freelancers sign a Business Associate Agreement?
- Do they have a designated HIPAA Security Officer on their team?
- Do they provide annual HIPAA Security Awareness Training for every staff member? (Again, this training is provided by a third party data security and HIPAA expert, not by HHS.)
- Do all computer work stations require login after 15 minutes of inactivity? (Computers should go to sleep mode after 15 minutes.) All computers must also have anti-virus software.
- Are all network servers kept in a secure, locked room. Any open ethernet ports must be disabled.
- Has the agency brought in a specialist to conduct a HITECH Technology Risk Analysis that meets the requirements of the US Department of Health & Human Services? This risk assessment checks for compliance with the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). This Risk Analysis is the first phase in reaching full HIPAA Security Rule compliance. It should be completed annually to update your entity’s security approach to match changes: (1) in your business and processes, (2) changes in outside and inside threats, and (3) newly discovered vulnerabilities in existing systems.
- Do they test the security of their IT infrastructure by performing internal and external penetration testing at least once a year and after any significant upgrades or modification?
At my firm, we’ve always been sensitive to our handling of private health information. Over the last year, we’ve gone through the arduous process of working with an information security firm to become Certified HIPAA Compliant. We worked with Security Metrics, but there are many firms out there that do this kind of work. In all, we’ve spent 150 hours of staff time on this effort. That equates to $22,470+ of billable time put toward this project. Every staff member has gone through HIPAA Security Awareness training and has been tested.
If you’re going to work with private health information, this is what it takes. It’s not something extra; it is foundational. We interview patients, record them on video, take notes, and photograph them. We craft patient stories. It is important that we handle that information in a secure manner. The HIPAA release that the patient signs does not in any way release us from our responsibility to safeguard their private information. It is up to us to make sure that we have the processes in place to secure their information. I am extremely proud of the work my team has done to make us a Certified HIPAA Compliant marketing firm. It’s where we need to be.