A lot of companies will need to do more to document their security procedures, according to attorney Kim Wilcoxon, partner in the executive compensation group at Thompson Hine's Cincinnati office.
The documentation process could be easy for a small company run by a single person who knows what's going on throughout the entire business, Ms. Wilcoxon said. For a larger company, however, getting several different departments to produce the proper documentation can take months, she said.
“HIPAA is 90% documentation,” she said.
But documentation isn't everything. Even companies that think they meet HIPAA's security standards — which touch on the security of facilities, computers and administrative processes — could be wrong, Ms. Wilcoxon said.
For years, hospitals and other healthcare companies liable under HIPAA have forced vendors to sign agreements stating that they'll protect patient data and notify them of any security breaches. However, some companies that signed those forms might have installed security measures that no longer suffice because of changes in technology or the way they do business, Ms. Wilcoxon said. Companies qualifying as business associates need to conduct risk assessments regularly, she said.
Joe Dickinson, privacy and security officer for the MetroHealth Systems, said business associates will face “significantly increased liability” once they're directly accountable to the federal government. If one of the thousand-plus business associates that works with MetroHealth causes a data breach, the hospital system could terminate the contract and seek damages in court. Soon, however, a company in that situation could face additional federal penalties, Mr. Dickinson said.
Plus, the federal government is starting to do more HIPAA-related audits, Mr. Dickinson said.
“They are in a much more serious condition when it comes to the federal government,” he said.