Healthcare organizations and professionals are trusted by their patients to maintain their safety and privacy and to keep their data secure at all times. With identity theft and the number of cybersecurity hacks increasing, healthcare providers are under immense pressure to provide the correct safeguards for both physical and digital patient data. This means they must choose services and business associates that also maintain the high security standards expected by patients and regulators.
Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted specific security regulations for Covered Entities (healthcare providers, health care clearinghouses, and health insurance plans) and their service providers. According to the Department of Health and Human Services, “Business Associates” (BA) include businesses that “create, receive, maintain or transmit protected health information (PHI) for other businesses covered by HIPAA, the HITECH Act, and their regulations.”
Under the HIPAA Omnibus Final Rule, any service that receives, maintains or transmits PHI on behalf of a Covered Entity is considered a Business Associate, even if the associate does not actually view the protected health information. All U.S. based healthcare Covered Entities (CE) are required by law to obtain a signed Business Associate Agreement (BAA) from any Business Associate that receives, maintains or transmits Protected Health Information on their behalf. BAA’s often contain the details of the Business Associate's plan of action in response to a HIPAA violation or a data breach.
Since the introduction of the Omnibus Rule, the fines and penalties for HIPAA violations apply to healthcare providers, health plans, healthcare clearinghouses and all other covered entities, as well as business associates (BAs) of covered entities that are found to have violated HIPAA Rules. Ignorance of HIPAA Rules is not an excuse for failure to comply with HIPAA Rules. It’s the responsibility of each Covered Entity and Business Associate to ensure that HIPAA Rules are understood and followed by all employees and service providers. In cases when a covered entity is discovered to committed a willful violation of HIPAA laws, the maximum fines apply.
If a Business Associate were to experience a HIPAA violation or data breach, HIPAA rules require it to be reported to the covered entity within 60 days of its discovery and should not be unnecessarily delayed. The sooner the breach is reported to the Covered Entity, and with as much information and supporting details as possible, the more equipped the Covered Entity is to decide on the best resolution and process for remediation.
Lua supports HIPAA and HITECH regulations, and will sign HIPAA Business Associate Agreements (BAAs) with customers. Because there are no official government or industry certifications for HIPAA compliance, in order to support HIPAA compliance, Lua keeps its product, policies, and procedures updated to adhere to HIPAA security standard requirements. Lua has also been audited by an independent, third-party auditor who issued an evaluation report detailing the controls Lua has in place.
Lua is one of the few cloud-based enterprise communication providers that signs HIPAA BAAs, demonstrating our ongoing investment in healthcare and enterprise security, compliance, and control for our clients. With Lua, data is encrypted in transit and at rest, for the utmost security. Our built-in features are also customizable allowing for HIPAA compliant communication and file sharing along with compliance with each organization’s internal policies.
To learn more about the benefits of HIPAA Compliant Messaging for healthcare download our brief - Top 5 Ways HIPAA Compliant Messaging Improves Your Organization.