I work for a small IT Manage Service Provider. We recently taken on a county contracted mental health facility as a customer. Part of the offering with this customer is basically housing their whole IT infrastructure on our equipment in our datacenter cage. I do have medical IT experience and am familiar with HIPAA. The build out took longer than my manager who did the design thought it would because I been making it HIPAA complaint to the best of my abilities. Both my manager and owner have given me feedback on HIPAA compliance with these systems. They say that since the contract with this customer has no "HIPAA Component" that the systems we provide the customer does not need to be and the company will not maintain them according to HIPAA compliance. IS this gross negligence? What is my legal exposure?
OK here is some other details:
Currently the records and billing information is hosted on a remote system accessed by citrix. We will be bringing this in house in the next few months.
We DO host a directory in a file share of both audio and transcribed dictations that are matched with photos of the clients.
In response to ? answer:
What about the HITECH act which extended HIPAA to "Business Associates" which covers companies that take of Administrative functions? Isn't IT an administrative function?
So by us taking over all IT services for this company, we do not have a HIPAA exposure?
Rex
By HIPAA Complaint, I added the necessary access controls and encryption required. The original design had people accessing it by connecting to a unencrypted terminal service port. I added encryption and login controls that are needed for protecting the data.
Kathi S
It depends on what you will be hosting on your server. If there are no medical records or patient data that contains a diagnosis then HIPAA does not apply.
?
It appears you do not fully understand HIPPA law and how it's only limited to health care professionals, not the IT guy. You have no legal exposure to consider, the health care provider may have some assuming confidentiality in the contact is not mentioned and you have full access to every ones condition.
They would be found negligent if they did not take any reasonable measure to protect the information, it sounds like they haven't but at the same time you have no legal liability whatsoever.
Kathi's analysis of the fact pattern is not a correct one.
The only thing you need to know is that HIPPA doesn't apply to the IT guy short of it being mentioned in contract, this means you have no liability regardless of your actions. As such, proceeding without HIPPA disclosure lays the liability on the health care facility, not your organization.
By administrative function, they mean internally, this doesn't apply to a 3rd party agency.
Understand by adding and worrying about HIPPA components, this would cost a lot more money then originally agreed upon by your employer. More man hours ect would need to go into the protection of the material, your employer isn't going to do that because he wasn't paid to go above and beyond the contractual obligation.
My suggestion is to not take HIPPA measures unless you're agency is paid extra to do so. I would mention the liability to the health facility and they will totally understand they have no choice but to pay extra for the man hours creating HIPPA peace of mind.
Snarkopolous Rex
And what exactly do you have to do to make this system "HIPAA compliant?" Realistically what does that mean? What do you have to do any differently than you would normally do for any other customer that requests a secure setup? I think you've been hosing your manager by telling them you have to do all kinds of extra "HIPAA stuff" as an excuse for why you've really been slacking off.
In any event, any exposure due to HIPAA rests with your company, not with you personally.
Orignal From: Tips: HIPAA Gross Negligence?
Post a Comment