Why do Overseas Companies need to Comply with HIPAA
The Healthcare Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996 with the goal of modernizing the flow of information within the healthcare industry as well as setting standards for the privacy of important health information. HIPAA has been amended numerous times throughout the past 23 years, with each amendment slowly expanding it into the law that is recognizable today. Most importantly to overseas organizations, HIPAA sets standards for safeguarding patient protected health information (PHI). Companies that deal with PHI must have physical, technical, and administrative security measures in place and follow those procedures in order to be considered in compliance with HIPAA. Covered entities, which are organizations or entities directly providing treatment, payment, and operations in healthcare, and their business associates, which are vendors and service providers who have access to patient information and provide support in treatment, payment, or operations, must meet HIPAA compliance. Even subcontractors of business associates who have access to PHI must also be in compliance with the standards of HIPAA.
You may be asking yourself: “That sounds very interesting, but why do I need to be compliant with American Laws? I’m halfway across the world!”
Simply put, the security standards that HIPAA imposed are that in order to do business with American healthcare organizations, those hospital systems, healthcare clinics, and medical practices will need guarantees that your organization is willing and able to safeguard the protected health information (PHI) that you or your employees will be working with. If they don’t believe that you can or will safeguard their PHI, they may not be willing to enter into a business relationship with you. Part of the process of ensuring that vendors will protect PHI is that American healthcare organizations will require vendors to sign Business Associate Agreements, which are legal contracts that spell out requirements for the actionable steps that organizations must take to safeguard PHI.
Business Associate Agreements will outline the duties and responsibilities of the contracted organization as it relates to the protection of any protected health information that is shared between the two parties. All Business Associate Agreements must detail the following items:
- Determine what PHI the Business Associate will access and how it will safeguard that PHI.
- Require and Log Employee HIPAA Training.
- Outline procedures to take in the event of a data breach.
- Detail necessity of Subcontractor Compliance.
- Plan details of a termination of the agreement if needed
- Describe process for the destruction or return of PHI.
The inability to guarantee compliance with these actions should be viewed as a red flag by the Covered entity, and should lead to them ending the agreement. An organization that does not comply with the HIPAA requirements will develop a bad reputation, lose customers, and face a plethora of other legal problems, such as fines or prison sentences. A business would have an immensely difficult time recovering from blatant HIPAA non-compliance once exposed. While it may be hard for the American judicial system to impose fines and penalties on organizations overseas, the loss of reputation and trust may be difficult to overcome.
Overview of HIPAA Compliance
HIPAA regulations are very complex, but complying with the law can also be very confusing because the rule does not provide clear standards for how to achieve compliance. HIPAA was designed to be flexible and so has different standards for different organizations based upon the available resources to secure and safeguard protected health information. With that in mind, It is not unusual to feel that HIPAA Compliance is a moving target. At Accountable, we have broken down the steps of complying with HIPAA into several actionable steps.
1) Know what is considered Protected Health Information
2) Understand HIPAA's required mandates
3) Learn the roles data security and privacy play in the use of Protected Health Information
4) Perform and document a Security Risk Analysis and implement safeguards
5) Develop contingencies in the event of a disaster
6) Train employees in HIPAA security standards
7) Distribute business associate agreements with collaborators
For more information on each of these steps, please refer to the Basics of HIPAA Compliance.
HIPAA Certification as Proof of Compliance
Accountable offers a framework for achieving compliance with HIPAA. Once an organization has completed all the steps in the process and has implemented appropriate policies and procedures to safeguard PHI, we will award the organization a certification as proof that they are able to comply with HIPAA. There are multiple reasons this would be beneficial to your organization:
A third-party certification like the one we offer may be beneficial for your marketing efforts. If you are a business located outside of the U.S. but are hoping to gain clients in the American healthcare industry, an organization will likely be more comfortable doing business with you if you have received a third-party HIPAA certification. Either way, a third-party certification will look more credible than your own claim about HIPAA compliance.
A fresh perspective on your policies and procedures. You may have been doing all that you think you need to do to safeguard consumer data. But most people are not experts in HIPAA; even compliance departments at large healthcare organizations do not know everything about HIPAA. With that in mind, third party frameworks can help you identify blind spots and look under stones that you wouldn’t have thought to look under.
You can outsource employee training. Rather than have to identify training materials and then learn enough of them so you are comfortable presenting the materials to your employees yourself, you can trust experts to present the simplified and relevant information to your employees in order to satisfy the HIPAA security rule which states employees must be trained to protect PHI. It is one less thing for you to do.
UAE Trade Licenses and HIPAA Compliance
One unique topic relating to overseas HIPAA compliance is that in the United Arab Emirates (UAE), no business can operate without a trade license from their Department of Economic Development (DED). However, recently the government has stated that healthcare organizations will need to reach HIPAA compliance before they can even receive this trade license to operate. Seeing as HIPAA typically only applies to companies handling the protected health information (PHI) of U.S. citizens, this announcement has been a surprise to many people. Luckily, achieving HIPAA compliance is not restricted to American companies and the same steps can be followed by any organization in order to reach HIPAA Compliance, including those looking to obtain healthcare related trade licenses in the UAE.
Accountable has created a simple framework to help guide organizations through the complexities of HIPAA. Try it out for free.