Security Compliance for HIPAA – Act like a Covered Entity

by ChrisDewey on April 26, 2010

Chris Dewey

As HMOs spend more mindshare focusing their organizations toward consumers rather than the employers, they naturally turn to marketing services firms with consumer backgrounds to help design and measure their efforts to have meaningful member engagement Firms that provide marketing services are delivering disciplines in data management, campaign management and analytics that support the strategic goals of the HMO.  However, given the sensitive nature of the data related to health care, they have a rigorous set of standards to adhere to.

The Health Insurance Portability and Accountability Act (fondly known as HIPAA) introduced new standards for electronic health care transactions, and more specifically, privacy and security rules that “Covered Entities” must follow.  A Covered Entity is defined as one of the following:  a health care provider (doctors, clinics, nursing homes, pharmacies), a health plan (health insurance companies, HMOs, company health plans), or a health care clearing house.  The security rule of HIPAA specifies administrative, physical and technical safeguards to protect confidentiality, integrity, and availability against any reasonably anticipated risks.

A marketing services company is clearly not a Covered Entity, and falls under HIPAA rules as being a ”business associate.” HIPAA allows for Covered Entities to have relationships with business associates that involve disclosure of protected health information so long as a contract between the two exists which controls acceptable use and security measures.  One would expect that these relationships generally involve contracts and master services agreements but the potential exists for the acceptance of associate security measures that seem reasonable, but which are a more limited implementation of the HIPAA standard for security than might be implemented inside the HMO.

Having evaluated the HIPAA security rule, and also having been through many data security audits and SAS 70 certifications, I can say that their requirements are consistent.  The conclusion is that database and marketing services companies shouldn’t wait to adhere to a new requirement set outlined for them.  Instead, your security design and administration should adopt the same level of responsibility as is required for the covered entity.  As a client with specific compliance management responsibilities, the information risk management teams within HMOs will be more comfortable if they know that you hold yourself to the same standard that they do.

About the Author:

Chris Dewey is the CIO at SIGMA Marketing Group.  Connect with Chris on , or follow him on .

Related Articles:

Healthcare Consumerism must be fueled by smart data integration and analytics

Marketing Analytics and Pharma — No Data Left Behind

Leave a Comment

Previous post:

Next post: