Domino’s Case Study
Food Protection and Defense Institute
E-Learning and Conferencing Tools for Healthcare: Navigating the Regulatory Maze
December 27, 2018
is created, transmitted, and stored are a big part of that regulatory picture, and potentially the biggest source of fines and headaches for healthcare administrators in the industry.
At the very same time that regulators are beginning to clamp down on compliance violations and are handing out big fines, technology is changing at an astounding pace. Technologies like cloud storage and computing and the proliferation of mobile devices used for healthcare communication are putting health data in a lot more places, making total compliance more of a challenge. Moves to make all health records digital and increasing interest in using online tools to communicate with patients mean that ensuring compliance of digital data in particular is more important than ever.
The question that many healthcare organizations are asking themselves is: how can we leverage these new tools and technologies without risking breaking compliance and huge fines? Fortunately, service providers are responding to the demand and providing HIPAA-compliant tools and services that are allowing organizations to use the latest technology while remaining compliant.
E-Learning and Conferencing: More than Just a Business Tool
E-learning and web conferencing tools allow communication and collaboration without the parties having to be in the same place at the same time. This is great for business, but the possibilities in healthcare are even greater. Doctors can collaborate with colleagues in their field on the other side of the country; specialists can consult without having to be in the same city as the patient; mental health providers can offer counseling to patients with a remote video chat. However, if these activities are done using the wrong tools—tools that don’t offer compliance with HIPAA regulations—healthcare organizations are exposing themselves to the possibility of huge fines.
Fines reaching into the millions of dollars have been handed out in recent years, and HIPAA fine schedules provide for fines up to $50,000 for single incidents. Clearly, it is imperative for organizations to get this right the first time. Furthermore, since 2013, fines no longer apply only to “covered entities” (like hospitals and insurance companies), but also to the entire chain of “business associates” they work with to handle Personal Health Information (PHI). This includes partners that provide e-learning and conferencing tools and all the cloud and other service providers they work with.
Are You a “Business Associate?”
The potentially scary part about the new regulatory reach since 2013 is that healthcare organizations could be exposed to fines for violations their service providers are making. Furthermore, thousands of service providers may now be considered “business associates” without realizing it—but they still have to comply fully with HIPAA or face the same fines healthcare organizations do. The bottom line is that if your business handles Personal Health Information in any form, your operations need to be HIPAA compliant and you must ensure everyone you work with is compliant as well.
Ensuring a “Chain of Compliance” with BAAs
Business Associate Agreements are the single most valuable tool organizations can employ to protect themselves from regulatory fines. These agreements list the obligations and responsibilities of each party in a business associate relationship and can protect your organization from fines if one of your associates is found to be non-compliant. Every organization choosing an e-learning and conferencing provider should be sure the provider is willing to sign a BAA. It’s the best indicator that they’re HIPAA compliant and serious about following all the rules to keep them—and you—out of trouble.
Providers should also demonstrate their compliance with HIPAA through the Service Organization, Type II (SOC 2) + The HITRUST Alliance (HITRUST) certification, which demonstrates their ability to fully protect patient and other sensitive and personally identifiable information (PII) in accordance with HIPAA’s privacy and security provisions. SOC 2 guidelines were created to provide an authoritative benchmark for proper control procedures and practices while the HITRUST Common Security Framework provides requirements for creating, accessing, storing or exchanging personal health and financial information in a secure and transparent manner. Together, SOC 2 + HITRUST compliance shows the provider has verified through third party auditors its implementation of best practices with respect to security in terms of physical infrastructure, software, personnel and data.
E-learning and conferencing have the potential to act as powerful tools in healthcare. But if staying compliant and avoiding fines means compromising on the functionality that’ll allow you to maximize the value of these tools, the effort might well be in vain. Fortunately, while staying compliant with HIPAA can be tough, some of the best e-learning and conferencing providers in the industry are also the ones most serious about staying fully compliant and shielding you from fines. When choosing a provider, you can get the best the technology has to offer while staying compliant.
