Today’s blog is going to be a little free form. I’m going to answer some questions that our clients have asked.
Q: Hey Jason, I see on the Total HIPAA website that you’re an opera singer when you’re not the Director of IT for Total HIPAA? How does that work?
A: For those of you who love opera, it may seem like a stretch, but there are many musicians in the IT field. I’ve had to learn multiple languages and memorize many operas and found it best to break them into manageable chunks. I tackle HIPAA and IT in the same way. IT has been the biggest challenge. Luckily, I’ve always been good with languages, and it has been easy for me to learn the codes and patterns.
The HIPAA law isn’t all that complicated when you break it down. If you look at it in its entirety, it’s overwhelming and daunting. That is why you break it down into its fundamental parts. Don’t expect to go from no HIPAA knowledge to full compliance in a day or even a week. It’s a process that will start slowly and evolve as you encounter new situations or questions.
Oh yeah, and thanks to my awesome bosses here at Total HIPAA Compliance, being an opera singer and Director of IT works really well. They are great about letting me get out of work for concerts and rehearsals. You can check out my most recent concert recording here: https://soundcloud.com/jason-karn/auf-dem-strom
Q: This question came from a broker. She gets information from Agents who are 1099s – the Broker sends information to the Carrier. Since the broker isn’t sending any Protected Health Information (PHI) to the Agents, she only receives from them, could there be a liability issue if the Agent ends up having a HIPAA violation? Does Liability go upstream as well as downstream?
A: This one is a little above my pay grade, so, I sent this to David Smith, our resident HIPAA Expert, and here is his response:
“It would all depend on where the agent got the information that was misused. As I understand the situation: Agent has PHI, and provides to Broker, who in turns gives to Carrier. Carrier sends back non-PHI to Broker, who gives to Agent. Agent later has a HIPAA Privacy or Security violation involving the PHI that Agent provided to Broker. No liability for Broker. But Broker should be Agent’s BA Subcontractor.”
Q: Do you need a Business Associate Subcontractor agreement with your email host and, and HIPAA web hosting service?
A: Yes, this is really important, because they are potentially handling Protected Health Information (PHI) on your behalf. This means any breaches they have could reflect back onto your agency, practice, or company. I’ve been trying to drive this important point home; the update to the Omnibus ruling says you are now potentially liable for your subcontractor’s violations. YOU ARE NOT RESPONSIBLE FOR SUPERVISING YOUR SUBCONTRACTOR’S COMPLIANCE PROCESS, BUT YOU MUST VERIFY THEIR COMPLIANCE BEFORE ACCEPTING A SIGNED SUBCONTRACTOR’S BUSINESS ASSOCIATE AGREEMENT. If they do not show you those policies and procedures, you should not continue your business relationship!
Keep those questions coming, and I will endeavor to answer as many as possible!
