I work for a commercial printer that offers both traditional print as well as online portals that manage marketing...
support. We have fulfilled the ISO 27001 certification to satisfy audits from our financial services clients, but do we need to be HIPAA-compliant if we want to approach clients in the healthcare industry? If so, can you please explain what that actually means? Would we be classified as a business associate?
You correctly point out the crux of the matter in the question -- would you be considered a business associate? HIPAA applies only to four types of organizations: healthcare providers, health information clearinghouses, health insurance plans and the business associates of any of those parties. Organizations become business associates by entering into formal, written business associate agreements with a HIPAA-covered entity.
Commercial printers are unlikely to be considered a business associate unless it prints highly personalized materials that contain patient information. The reason is that an entity only becomes a business associate if it is exposed to protected health information (PHI) about patients. If the printer handles marketing materials for the covered entity, it will not likely want to disclose PHI to the printer and it will not become a business associate.
The U.S. Department of Health and Human Services, which oversees HIPAA compliance, further elaborates on the functions conducted by business associates with these examples: "claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing." As long as the printer deals only with generalized marketing materials, it's in the clear.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Check out the best way to maintain HIPAA compliance for you and your business associates.
Dig Deeper on HIPAA
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.