Assuring HIPAA Compliance for PHI


By Sarah Morris, KirkpatrickPrice

If you’re hosting data classified as patient health information (PHI), it’s always your responsibility to assure HIPAA compliance for PHI. In other words, take appropriate measures to comply with the HIPAA Security Rule. Beginning September 23, as a business associate of a healthcare entity, you can now be fined directly by the Department of Health and Human Services for not complying with the law.

That’s right—next week, the level of accountability is increasing for those providers serving the healthcare market. What does this mean? Simply signing a Business Associate Agreement (BAA) is no longer enough! All Business Associates must ensure their compliance by establishing appropriate physical, administrative, and technical safeguards to protect PHI.

In light of the changes to the Security rule, it’s in the best interest of all hosting providers to simplify an internal process for handling all client data, thus ensuring compliance with the various frameworks governing controls. Many companies have established a policy to treat all data as PHI so that systems don’t have to be segmented for compliance purposes.

So, what if we’re doing everything to make sure the proper policies and procedures are in place and there’s still a breach? Even in the tightest of security environments, breaches can still happen. However, there’s a difference between being negligent after a data breach and doing everything you can to resolve the issue while communicating this to your client. Taking immediate action to remediate a breach can be the difference in costing your company large amounts of money in fines administrated by the Office of Civil Rights.

KirkpatrickPrice has pointed out three useful tips to help hosting providers prepare for these new changes and potential audits.

1. Do you have someone overseeing your compliance efforts? Make sure your organization is establishing and implementing physical, administrative, and technical safeguards to protect PHI. Are those policies and procedures formally written? If your client scheduled an onsite audit, could you produce adequate evidence to show you are following your procedures? Protection from data breaches should be top priority among your organization.

2. Do you know who your vendors are? Now that you’re required to be responsible for your own compliance, you need to make sure the companies you’re partnering with can be trusted. This can be the difference in costing your company money and reputation over the loss of data. So what if you have all necessary controls in place to protect PHI if the companies you’re working with aren’t doing the same? Check to see if a potential vendor complies with the necessary security controls to protect PHI before engaging them in business.

3. Are you assuring your chain of custody? Signing a BA agreement used to be all that was necessary to satisfy a client’s contractual requirements. Now they must go further by asking you for written policies and procedures at a minimum. Are you prepared for your clients to perform a HIPAA risk assessment on your organization?

Taking a fresh look at the HIPAA requirements is very important before the upcoming changes take effect. Contact us at KirkpatrickPrice for help with looking at the HIPAA Security Rule standards against what you’re currently doing.

Sarah Morris is a technical writer for KirkpatrickPrice, a provider of world-class audit services. Visit

Leave a Comment