Part of having a reliable medical courier service is making sure it is HIPAA compliant. Here is a guide for medical offices on HIPAA-compliant couriers.
If you run a medical office, chances are you think about HIPAA every day.
HIPAA stands for the Health Insurance Portability and Accountability Act. It controls where and how you store your medical files. It affects your choice of a payment processor, your email encryption, and how you disclose information over the phone.
Medical offices invest in HIPAA audits, staff training, and HIPAA-compliant technology. But what about HIPAA compliant couriers?
Medical couriers perform several types of delivery services for medical offices. And there are serious consequences if any of those deliveries go wrong.
Lost test results and missing specimens can harm patient health and your bottom line. A good courier service uses training and sophisticated logistics to avoid those outcomes.
But too many medical offices neglect another important courier feature: HIPAA compliance.
Partnering with a HIPAA-compliant courier protects your office and your patients. Data breaches destroy patient privacy, harm your public image, and can incur serious fines. That’s true whether the data breach happens in your office or on the courier’s route.
Why exactly is partnering with HIPAA compliant couriers so important? Learn more about the legal and financial implications of this decision below.
HIPAA 101
HIPAA was signed into law in 1996. This landmark bill sought to address the impacts of medical technology advancement on patient privacy. It’s administered by the U.S. Department of Health & Human Services (HHS).
HIPAA is made up of four major “rules.”
The Privacy Rule sets standards for protecting personal health information or PHI. This information class includes identifiers such as social security numbers and names. In other words, identifiers frequently handled by medical couriers.
The Security Rule describes how practitioners should protect electronically stored and transmitted PHI. The Enforcement Rule describes HIPAA’s stringent enforcement procedures. The Final Omnibus Rule updated many HIPAA requirements for newer technology.
HIPAA compliance is a complex yet important task. To be compliant with HIPAA, medical offices need to be vigilant on many fronts.
They need physical protection, such as file cabinet locks, for PHI. They need electronic safeguards such as email encryption for digital PHI.
They need administrative procedures that enforce HIPAA hygiene. Those procedures might include limitations on taking work devices home.
Medical offices can’t just hope for the best when it comes to HIPAA. They need to train their staff on HIPAA compliance. They also need a breach management and notification plan in case of a data leak disaster.
HIPAA Compliance Outside the Medical Office
Most people know that medical offices must protect patient information. But plenty of non-medical businesses have to worry about HIPAA compliance, too.
21st-century medical offices don’t operate in a vacuum. They rely on payment processors, digital service providers, and yes, medical couriers. These third-party partners are all considered “Business Associates” under HIPAA.
Business Associates are non-medical businesses that handle PHI. And as PHI handlers, these businesses are as beholden to HIPAA as medical offices. If you operate a medical office, Business Associate HIPAA compliance is your responsibility.
According to the Privacy Rule, every medical office must “obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates.” Both parties must sign a Business Associate Agreement (BAA) ensuring HIPAA compliance.
The Consequences of BAA Non-Compliance
What happens if a Business Associate experiences a HIPAA compliance failure? This is where the HIPAA Enforcement Rule comes into play.
Punishments can be severe. In 2020, hospital management group CHSPSC LLC faced $2.3 billion in fines for HIPAA violations. The fact that they were a Business Associate and not a medical provider didn’t protect them.
Furthermore, it’s not just the Business Associate who experiences consequences. The HHS will closely scrutinize any medical office the business associate works with. If any medical office failed to vet its partners or sign a robust BAA, the office will face punishment, too.
In 2016, the HHS levied a $2.7 million HIPAA fine on the Oregon Health and Science University. One of the medical practice’s most egregious violations was its failure to sign a BAA with a cloud server hosting sensitive PHI.
A quick look at the HHS’s enforcement records shows that these kinds of violations are far from rare. In 2018, a Florida-based healthcare group faced $500,000 in fines for failure to implement a BAA. In 2016, a Minnesota hospital faced $1.55 million in fines for failing to sign a BAA with a major contractor.
HIPAA makes it clear that signing a BAA and hoping for the best isn’t good enough. Medical offices must actually vet their partners to ensure HIPAA compliance.
Following these procedures can protect you even in a worst-case data breach scenario. Showing you followed protocols and did your best to protect PHI can significantly reduce the fines you face if a data breach does happen.
Why Should You Get a HIPAA-Compliant Courier?
What’s the biggest takeaway from reading about recent HIPAA fines? It’s that you need to take Business Associate compliance seriously. That compliance extends to your courier service.
HIPAA scales its fines according to egregiousness and the number of records exposed. In the digital age, a small compliance slip can still lead to a massive data breach. A stolen smartphone can contain access information for thousands of records.
That’s why extending HIPAA compliance monitoring to your courier service is so important. Many offices focus their BAA efforts on digital partners such as cloud services. But these offices risk data breaches through lost physical assets.
What if a courier loses a thumb drive containing logins for a massive PHI database? What if the office never vetted the courier or had them sign a BAA? As prior HHS enforcement shows us, the courier’s medical clients could face massive fines.
What if a medical office thoroughly vets a courier and signs a BAA—but there’s still a courier data breach? In this worst-case scenario, the medical office may face little or no fine liability.
Navigating the Conduit Rule
What about the conduit rule?
This policy at first seems like it lifts some compliance burdens for medical offices. The conduit rule states that the USPS and “certain private couriers” are exempt from HIPAA. Conduits transfer PHI without accessing or storing it.
In practice, however, the conduit rule has proven narrow and difficult to define.
Some medical offices casually deem smaller partners “conduits.” But they regret the choice after HIPAA fines for misclassification down the road. These fines are especially harsh if the so-called “conduit” failed to protect PHI.
That’s why more and more medical offices are prioritizing HIPAA compliance for couriers. After all, why argue with the HHS over what defines a “conduit” when you could simply protect PHI?
Looking Beyond the Fines
HIPAA fines are scary stuff. Medical offices are understandably scared of facing them, and patient privacy gets protected as a result.
But fines aren’t the only consequence of a HIPAA courier compliance problem. When medical offices experience a data breach—and especially an avoidable data breach—they lose patient trust.
That lost trust translates to lost patients and lost profits. In a worst-case scenario, a data breach can bankrupt a medical practice. And that’s before factoring in fines.
A good medical courier also has training and professionalism that extends beyond HIPAA compliance.
These couriers receive training in handling specimens, organ transplants, and biohazardous materials. There are profound consequences when these kinds of deliveries go wrong. Partnering with a trained medical courier helps you avoid them.
Couriers also help shape public perception of your business. An unprofessional courier reflects badly on your practice.
To the package receiver, they seem like an employee you had the bad judgment to hire. It doesn’t matter if you’ve actually never met them before!
Courier delivery mishaps can cause serious problems for medical offices. That’s true even when PHI isn’t involved. A lost package or a late delivery can cause delays, financial losses, and poor medical outcomes.
Choosing the Best HIPAA Compliant Couriers
What happens when your practice needs courier services?
Most offices start comparing service costs and looking over courier service options. Some offices make HIPAA compliance an afterthought—and that’s a mistake. This choice affects whether your office protects patients and avoids HHS fines.
Take a look at GO₂ Delivery and Logistics. We take pride in providing high-quality service for medical professionals.
Our HIPAA compliant couriers are available 24-7 and undergo thorough background checks. All medical couriers receive training on safe PHI handling. Random audits ensure we’re always meeting HIPAA standards.
In addition to HIPAA compliance, we always prioritize your logistical and budgeting needs. Advanced dispatching ensures that your package arrives on time. Cost tracking prevents deliveries from breaking the bank.
Ready to learn more about partnering with a HIPAA-compliant courier service? Contact us for a quote today.