Have clients in healthcare? Understand the professional liability exposures
IT consultants who work with healthcare clients will have to know and follow HITECH and HIPAA privacy rules that govern how patient health records can be stored, accessed, and transmitted.
What are HIPAA and HITECH? These laws are often referred to interchangeably. HIPAA was enacted first, and then later amended by HITECH. These acronyms are simply two names for a series of data security regulations for healthcare companies.
HIPAA and HITECH require extra work on your part and could expose you to serious liabilities, lawsuits, and fines for HIPAA violations. Let's go over what IT consultants need to know about healthcare data security.
7 basic principles of HIPAA compliance
This article is only a brief summary of the most significant aspects of HIPAA. We'd probably need to write an entire book about it to cover everything (many people already have). With that in mind, let's look at a few basic principals of HIPAA.
1. Patient health records must be protected
Hospitals and health-related businesses all have PHI (protected health information) for their patients. This includes billing information, medical records, and other personally identifying information. PHI can be electronic or take the form of physical documents. Either way, HIPAA requires you to take extra steps to secure this information.
2. All healthcare businesses need to follow HIPAA
It doesn't matter if your clients are medical billing companies, pharmacists, psychologists, or X-ray technicians — any business that has access to medical data must secure their network and make sure the data is stored and transmitted properly.
3. HIPAA requirements are actually "recommendations"
HIPAA is a law you have to follow, but the recommended data security procedures are only that — a recommendation. Technology changes too fast for laws to outline exactly what needs to be done to secure a network. To meet HIPAA standards, IT consultants need to constantly update and improve their clients' data security to stay ahead of threats.
4. To work for healthcare clients, you'll need to sign a "Business Associate Agreement"
HIPAA-compliant healthcare companies require anyone who works with their data to sign BA agreements. By signing this contract, you agree to know and follow HIPAA requirements.
5. HIPAA requirements have tougher data security standards
Healthcare businesses have to go to greater lengths to make sure their data is encrypted while it is stored and transmitted. For instance, email must have end-to-end encryption and healthcare businesses must make sure their cloud providers encrypt data even while it is transferred among cloud servers.
6. HIPAA requirements also have provisions for physical security
Your healthcare clients also have to prevent their computers, laptops, and mobile devices from being lost or stolen. In fact, the number one cause of a data breach in the healthcare industry is physical theft (according to identity theft watchdogs IDT 911). How do you prevent theft and loss? HIPAA experts recommend keeping computers away from areas with a lot of foot traffic, training employees about the risks of theft, and restricting the use of thumb drives and other portable tech that can be easily lost.
7. HIPAA also requires companies institute processes that ensure data is accurate
Your clients will have to take measure to ensure that there aren't any errors in patient data. This can involve double-key, check-sum, and redundancy during data entry.
IT consultants' professional liabilities when working with HIPAA clients
As we saw above, the stakes are high for IT consultants to be HIPAA compliant. HIPAA violations and healthcare data breaches are extraordinarily expensive. Let's look at your financial risk exposure when working with HIPAA clients and how you can manage these liabilities:
Healthcare data breaches are the most expensive type of breach
The typical data breach costs businesses $195 per stolen record, where as a healthcare data breach costs $359 per record. Almost twice as expensive.
HIPAA violations can lead to six- or seven-figure fines
The Department of Health and Human Services levies expensive fines on healthcare companies for violations in their data security. For egregious violations, many hospitals have had to pay million-dollar fines.
Professional liability insurance can cover HIPAA lawsuits
If an IT consultant is sued by a client when their technology fails to meet HIPAA standards, professional liability insurance (also called errors and omissions insurance) can cover the cost of your lawsuit and pay the damages you owe the client.
Because HIPAA violations are so expensive, your professional liabilities are substantially more when your work with healthcare clients.
Of course, that doesn't mean you shouldn't work in health IT. It's a very lucrative field. Before you jump into health IT, just make sure you know what you're getting into. Review the HHS's HIPAA guidelines for business associates and invest in professional liability insurance to cover your risk exposure.
Compare quotes from trusted carriers with Insureon
Complete Insureon’s easy online application today to compare insurance quotes from top-rated U.S. carriers. Once you find the right policy for your small business, you can begin coverage in less than 24 hours.