Reminder: Miss the Sept. 22 HIPAA Deadline at Your Own Risk!

HIPAA deadline criminal prosecutionFall is almost upon us, and that means that students are getting serious again. And so is the Office of Civil Rights, the arm of the government that enforces the strict HIPAA/HITECH Act and Omnibus Final Rule Regulatory Law requirements put in place last year. The OCR has set September 22 as the final deadline for Business Associate Agreements to be updated and in place.  (Many BAAs in place before the HIPAA regulations were strengthened were “grandfathered in” temporarily, but won’t be after September 22.)

Scary Penalties Expected This Fall

And the penalties for noncompliance are scarier than any Halloween haunted house—$1.5 million and possible legal prosecutions for egregious violations. What constitutes “egregious?” Unfortunately, it might just mean people who had more than a year to update or replace old BAAs, but didn’t do it before the deadline had passed.

This (Probably) Means You—Even If You Think it Doesn’t

If you’re in a healthcare-related business, it means plenty. Ditto if you’re doing work for or with a healthcare-related business.

But you might not realize that if your business does anything to persistently maintain/store, create, receive, or transmit protected health information—or if even one of the third parties you conduct business with does—then you might have a deadline to meet on September 22. Lots of companies are still blissfully unaware that they have a deadline to meet.

How broad are the new laws? Even such seemingly minor involvement in healthcare as having a personnel department that administers a health plan could make your company subject to the deadline. So, your firm could do anything, from silicon chips to doll dresses to IT services, but if your firm handles information from health claims, your business could still be affected.

Even thousands of healthcare companies in the U.S., which are directly affected by the expanded provisions of HIPAA Regulatory Law that went into effect last year, are still unaware of it. Even worse for non-compliant businesses, state attorneys general now also have the authority to prosecute for a lack of HIPAA Compliance and are, in fact, already doing so in several states.

Business Phone Service: A Commonly Overlooked Vulnerability

Many businesses never even consider the fact that their unified communications providers—their business phone service providers, fax and meeting service vendors, etc.—are often storing protected health information, and so fall into the category of business associates that you need to ask for updated Business Associate Agreements. 8x8 has taken significant steps to comply.

Perhaps most importantly, it has gained third-party validation of its HIPAA compliance, from one of the nation’s leading HIPAA security law authorities and authors. This means that 8x8’s cloud communications solutions and the accompanying Business Associate Agreements it provides to customers are fully up-to-date and HIPAA compliant.

Other measures that 8x8 has taken include data-in-motion encryption with HTTPS for accessing faxes, call recordings and voicemails, along with optional data-at-rest encryption. 8x8 has also set up HIPAA-compliant administrative controls and restrictions to protect PHI in electronic faxes, recordings and voicemails, and has established comprehensive security and privacy policies, procedures, standards, training, controls, metrics, monitoring and governance.

How Can You Tell How Compliant Your Provider Is?

Finally—and here’s how you can tell whether your communications provider is confident that it fully complies with HIPAA regulations—8x8 provides its customers with Business Associate Agreements, all written by a leading legal authority and author on HIPAA security law. The people I talk to really appreciate 8x8’s efforts at making compliance simpler and more easily achievable. And from what I hear, the management at many companies is desperate to find easier ways to comply.

For example, Deborah Sherl, a nurse consultant who is certified in healthcare HIPAA privacy and security, recently explained how daunting the task is.

“Many practices have electronic medical records, practice management software and VOIP communications, yet most do not have in-house IT staff,” she says. “Under such conditions, striving to create a new culture of HIPAA Privacy & Security seems to be an extraordinary effort. Having a business associate such as 8x8 that is open and welcoming to the need for updating Business Associate Agreements and working toward a common goal of best practices for patients is a very positive, yet frequently unusual, experience.”

How Could a HIPAA Audit Affect Your Business?

Cheryl Long, office manager for a 1,000 patient dental practice in Leonardtown, Maryland, relies on 8x8’s HIPAA-compliant cloud communications services to keep patient interactions and data safe and secure.  She says she had to change from her former communications provider to 8x8, because she couldn’t get the documentation she needed to keep the dental practice HIPAA-compliant.

“We were advised that if a doctor or dentist communicates over the Internet or stores information on the Internet, their data security has to be tighter than a drum,” said Long.  “Having a HIPAA Business Associate Agreement was critical for us. You can install the best phone system in the world, but if you don’t have a BAA, you are not protected. I didn’t want to be sweating bullets if we were ever audited for HIPAA compliance. It’s not worth the risk.” For additional information regarding 8x8’s HIPAA compliant cloud communications solutions, click here.

Mike McAlpen


Mike McAlpen is the Executive Director of Security and Compliance at 8x8, one of the largest US VoIP providers for business. Prior to this, Mike was a business leader with Visa, Inc. Global Information Security and Compliance. Before this Mike was a leader in HP Professional Services Information Security, CIO/CISO Advisory and other services for nearly 12 years. Mike is a frequent Information Security speaker, a three-term IT Services Management Foundation President, on the Board of Directors of the Silicon Valley ISSA, and active in ISACA, FBI/DHS InfraGard, U.S. Secret Service’s Cyber Crime Task Force and the American Bar Association Science and Technology Section’s Information Security Committee. [...] Read More >

  • icon-gray-linkedin.png