Do Accountants Need to be HIPAA Compliant?
The accounting industry, like many others, is subject to changes in privacy rules and regulations and one of those key laws to pay attention to is the Healthcare Information Portability and Accountability Act, or HIPAA. HIPAA is the main health information protection law in the United States and has been expanded with the adoption of several additional acts. These additions to HIPAA each address different aspects of the regulation from the Privacy Rule, Security Rule, Breach Notification Rule, HITECH Act and most recently added, the Omnibus Rule.
When the Omnibus Rule was made effective in 2013, it changed the landscape of HIPAA for many organizations and individuals. Many professions, like Accountants, had never had to worry about compliance before and were now unsure about whether or not this new law made them liable to HIPAA or not. In this article we’ll explore everything you need to know about Accounting and HIPAA Compliance.
HIPAA and Accounting
Some people may be surprised to hear that Accountants are among the professions that need to be aware of HIPAA and in certain situations need to be compliant in securing protected health information. Anyone who can access protected health information (PHI) in some capacity during the course of their job, must be in compliance with all the requirements of HIPAA. Therefore, any accountants who encounter patient information through things like copay, insurance payments write-offs, or other ways are therefore under the regulations of HIPAA laws.
Not all accountants will need to be HIPAA compliant, because not all accountants work for clients that will allow them to see individual’s health information. But in situations where you will need to audit the books of any organization that creates, stores or shares PHI, then it is likely that you’ll gain access to some of the information in order to complete this task. Doing a job on behalf of a HIPAA covered entity, makes some accountants or accounting firms, HIPAA business associates as defined above.
PHI in Accounting
Protected Health Information is defined as any medical information that could be used to identify that patient such as their full name, address, social security number, billing information, and other identifiers. Providing services, including accounting or tax related services to healthcare providers may result in your having access to some protected health information that the provider has created, maintained or shared. Whenever this access is permitted, that person is now liable to comply with HIPAA so that there are no breaches of that information.
Just as with other aspects of the job, the tasks that could prompt an employee to use PHI do differ between industries. For accountants, one example of a common interaction with PHI would occur while using a ledger, like Xero and Quickbooks, that contains patient accounts on behalf of the provider. Since a patient being able to be identified is the concern with guarding PHI, an accountant’s ability to know which patients received treatment from that provider makes this task one that falls right under HIPAA’s regulation.
Accountants as Business Associates
The key change that was made to HIPAA when the Omnibus Rule was added was the expansion of liability for noncompliance onto Business Associates (BAs). Essentially a business associate is any organization or person that provides a service to a covered entity (CE) that requires them to create, store or disclose protected health information. Since BAs and CEs both use PHI throughout the course of their work, both types of organizations are required to comply with HIPAA’s requirements.
Signing Business Associate Agreements
For organizations that are considered covered entities, make sure to have a Business Associate Agreement (BAA) signed with any accounting firm that you are working with. In the case that you don’t have a BAA signed, any information that is shared with them could be considered a data breach.
If there is a breach and the accountant is responsible for any of the information that is compromised, that liability still falls on the CE in the event that there is no agreement over shared liability. Covered Entities must be careful to choose to work with accountants, and other business associations, who have already completed or are willing to complete the steps needed to reach HIPAA compliance, including signing a specific BAA.
HIPAA compliance is important, but it can also be a lot to manage for business associates, like accounting firms, that do not interact with PHI enough to need a dedicated HIPAA employee. We understand that so we created a simple, step-by-step process through our platform to help these organizations achieve full HIPAA compliance. Accountable will take all the stress and confusion out of HIPAA compliance so you can keep spending your work day getting what you need to get done.