Fitbit is now HIPAA compliant—is your business?

Fitbit's recent announcement that it's now HIPAA-compliant underscores the importance of meeting medical privacy regulations. But many firms that should be compliant, aren't. Your business could be one of them, even if you're not involved directly in healthcare. And if you do comply, there could be ways to turn compliance into gold.

Fitbit’s recent announcement that it has achieved compliance with HIPAA—which protects patients’ health data—underscores the importance of HIPAA medical privacy concerns to an ever-widening circle of businesses. Still, many firms SHOULD be HIPAA-compliant, but aren’t, which puts them at risk for legal action. Could yours be one of them?

The Fitbit news shows that HIPAA compliance is no longer limited to insurance companies, doctors’ offices and hospitals.  Even device manufacturers like Fitbit must now show HIPAA compliance, just to be considered for doing business with compliance-savvy enterprises like Target—which just bought more than 300,000 Fitbit devices to help its employees to better monitor and improve their health.

HIPAA fines and marketplace rewards

But the underreported story is that so many businesses assume that they don’t have to comply with HIPAA—a mistake that could cost thousands of businesses in fines, lost business, damaged reputations and possibly even criminal penalties.

The opposite is also true: Companies that achieve HIPAA compliance—even companies that are in industries far afield of medicine—can use HIPAA compliance as a competitive edge to win new business, as Fitbit did. Until Fitbit could show that it was HIPAA-compliant, the human resources departments of major enterprises like Target could not even consider supplying its employees the devices without themselves running afoul of HIPAA.

Fitbit had to prove that it was a HIPAA-compliant business, so that it could issue documentation called Business Associate Agreements to Target—and any other enterprise wanting to purchase Fitbits for its employees. These agreements are signed to protect companies like Target that use Fitbits for their corporate wellness programs, from HIPAA compliance actions stemming from their use of Fitbits. So in this example, Target doesn’t have to worry that Fitbit might impact its own compliance, because Fitbit is compliant and provides BAAs.

‘We’re not in the medical biz, so why do we need HIPAA compliance?’

Many companies don’t realize that, like Target, they have personnel departments that have access to protected health information, or PHI, through things like company health insurance plans. Sometimes, such information is stored in communications systems—phone systems, voicemail recordings, customer contact centers and collaboration tools like meeting software—that aren’t certified to be HIPAA-compliant.

Estimates of the number of such HIPAA violating companies aren’t available. However, in my experience as a CISO at a company that provides communication systems that DO comply with HIPAA, I never cease to be amazed at how many companies don’t even realize they need to comply with HIPAA. And HIPAA isn’t just a regulation that hospitals have to worry about. It is a real law, with real teeth, and applies to everyone who stores protected information.

Luckily for businesses that become aware that they could be running afoul of HIPAA, it is possible to find communications providers that comply, and even more importantly, will give you a critical agreement called a Business Associate Agreement, which states the communications provider complies with HIPAA. The best providers can even advise you on the standard compliant way to configure their systems so that communications issues don’t put your company in violation of HIPAA.

Questions to ask communications providers

I’m often asked what companies can do to make sure their communications systems comply with HIPAA. A good start is to ask the following questions of representatives at the firms that provide all of your enterprise’s communications, including your business phone service, faxing, collaboration/meeting service and call center communications:

  1. Are you a HIPAA-compliant business associate? Many companies aren’t, and doing business with them could jeopardize your compliance if you use their services.
  2. What has your company done to ensure compliance? For telecommunications providers, compliance is an extensive, ongoing process. Not only must they make sure their company complies, but they need to verify that their own chain of business associate subcontractors is compliant.
  3. Has your HIPAA compliance been assessed by independent experts? It’s important to get actual third-party verification, so that you don’t jeopardize your own company’s compliance. Salespeople are often confused about the new rules themselves, and could mislead you, so ask for independent confirmation.  Also, an independent assessment of compliance will likely have more credibility with regulators than an internal assessment.
  4. Can your communications provider [business phone service, fax service, call center, web conferencing provider, etc.] provide my business with a HIPAA Business Associate Agreement? “If you use a cloud-based service, it should be your business associate,” says David Holtzman of the U.S. Health and Human Services Department’s Office for Civil Rights, Privacy Division. If a provider offers a business associate agreement, it is willing to stand behind its compliance and say in writing that it has the proper privacy and security controls in place. If your business is going to use a vendor that stores PHI on your behalf, you must have a business associate agreement in place. Holtzman adds, “If they refuse to sign, don’t use the service.” Get it in writing, in other words.
  5. Can the services that you provide my business be configured to be HIPAA-compliant? Some providers actually warn customers that they should not use its services to store HIPAA-protected health information.  These providers do not even try to achieve HIPAA –compliance or help customers comply.  But with a little digging—and these questions—you can find out.
  6. Can you recommend particular configurations of our system to help us comply? Providers that make compliance a priority can often supply you with expertise or suggestions to help you comply, and they’re more likely to have a compliance officer who can explain how their services are set up to facilitate compliance.
  7. Can your firm provide encryption for both “data in motion,” and “data at rest”? When information is being transmitted, such as via voice communications, it’s subject to encryption requirements for data in motion. When it’s being stored, such as in voicemail, faxes and voicemails, it should also be encrypted for protection.  Many service providers cannot offer both forms of encryption, but some can.

Many businesses that are too small for a full time compliance officer or department are understandably intimidated by HIPAA compliance issues.  But a few communications providers are increasingly shouldering more of the burden of compliance, so picking the right communications provider is critical to plugging this common compliance hole.  And as the Fitbit example shows, doing the right thing legally is not only a virtue, but makes great business sense, too.

Copyright © 2015 IDG Communications, Inc.

7 secrets of successful remote IT teams