Luis Louro - Fotolia
I work for a commercial printer that offers both traditional print as well as online portals that manage marketing...
support. We have fulfilled the ISO 27001 certification to satisfy audits from our financial services clients, but do we need to be HIPAA-compliant if we want to approach clients in the healthcare industry? If so, can you please explain what that actually means? Would we be classified as a business associate?
You correctly point out the crux of the matter in the question -- would you be considered a business associate? HIPAA applies only to four types of organizations: healthcare providers, health information clearinghouses, health insurance plans and the business associates of any of those parties. Organizations become business associates by entering into formal, written business associate agreements with a HIPAA-covered entity.
Commercial printers are unlikely to be considered a business associate unless it prints highly personalized materials that contain patient information. The reason is that an entity only becomes a business associate if it is exposed to protected health information (PHI) about patients. If the printer handles marketing materials for the covered entity, it will not likely want to disclose PHI to the printer and it will not become a business associate.
The U.S. Department of Health and Human Services, which oversees HIPAA compliance, further elaborates on the functions conducted by business associates with these examples: "claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing." As long as the printer deals only with generalized marketing materials, it's in the clear.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Check out the best way to maintain HIPAA compliance for you and your business associates.
Dig Deeper on HIPAA
Related Q&A from Mike Chapple
Examine the important differences between stateful and stateless firewalls, and learn when each type of firewall should be used in an enterprise ... Continue Reading
Explore the differences between wired and wireless network security, and read up on best practices to ensure security with or without wires. Continue Reading
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading