In 1996, then-President Bill Clinton signed the Health Insurance Portability and Accountability Act, or more popularly known as HIPAA. The law provides security and data provisions to protect medical information as well as provide continuous health insurance coverage for workers who lose their jobs. HIPAA gained more prominence in recent years due to several well-publicized health data breaches.
HIPAA has a privacy rule establishing a set of national standards to protect personal health information or PHI. The privacy provisions were originally intended to cover the health industry players only. The Health and Human Services (HHS), the lead agency handling HIPAA compliance, expanded the law by implementing modifications in the guidelines. Specifically, the HHS placed a HIPAA omnibus rule in 2013 that outlines the responsibilities of business associates or vendors of healthcare-related companies.
All this might be a lot to take in, but in point of fact it's important knowledge for shippers and logistics providers to have. That's why we're devoting an entire article to HIPAA compliant shipping and its potential implications for last mile delivery.
What Is HIPAA Compliance in Logistics and Transportation?
Despite not being part of the health care sector, logistics and transportation companies still need to adhere to HIPAA standards. This is under the omnibus rule mandating compliance to the HIPAA privacy rule by business associates or entities engaged by individuals and businesses in the healthcare industry that help them complete industry-related activities and functions.
Transportation and logistics providers fall under the category of business associates if they provide data-transmission services that involve PHI and are protected by HIPAA. Non-emergency medical transportation firms hired by health plans and Medicaid agencies are also business associates and are covered by HIPAA.
Contractors or vendors of transportation and logistics firms are subject to HIPAA regulations as well since a business associate is defined as any individual entity who acts as a vendor or subcontractor with access to PHI. For the logistics and last mile delivery companies, this means that their software providers and cloud companies, to name a few, have to comply with HIPAA data and privacy standards.
Do You Really Need HIPAA Compliant Shipping and Logistics Software?
Simply put: yes, you do. Businesses engaged in delivery and logistics often leverage technology to ensure efficient operations of their fleets. But given the strict requirement of HIPAA, companies must also find providers that are already certified for HIPAA compliance.
DispatchTrack, an innovator of the logistics industry and preferred software of many industry players, is already HIPAA and SOC2 compliant. SOC2 is an auditing procedure done to ensure that service providers manage their client's data securely. It is a minimal requirement for sensitive businesses considering a SaaS provider.
As a vendor of logistic SaaS of the health industry, DispatchTrack has been engaged in the transportation of patients as well as the delivery of health equipment, and medicine to both individuals and hospitals.
One of its clients, Gerimed, a sought-after supplier to long-term care patients, has been using DispatchTrack's product to optimize deliveries of pharmaceutical products to nursing homes for the elderly. DispatchTrack integrates Gerimed's ERP system to ensure proper tracking of each box of supplies or medicines loaded into delivery vehicles and delivered to the nursing homes.
Entities that choose DispatchTrack can be assured of a high standard of data security that's already certified for HIPAA Compliance and audited for SOC2.
Is There a HIPAA Compliance Checklist for Logistics and Delivery Companies?
Business associates or vendors are covered by three broad categories of the HIPAA Safeguards for PHI, namely, administrative, physical, and technical.
The administrative safeguards refer to elements defining an entity's security management process, such as policies, procedures, and maintenance of security measures protecting PHI.
Physical safeguards focus on measures undertaken to mitigate physical security risks such as facility and workstation access and physical security mechanisms for all devices.
Technical safeguards deal with covered entities and business associates requirement to implement and protect PHI such as unique user identification, emergency access procedures, and encryption.
Logistics and delivery companies engaged as vendors or business associates of healthcare entities thus should undertake and check if they satisfy the safeguards outlined by HIPAA. Companies must ask the following questions to ensure compliance with HIPAA requirements.
- Are your vendors HIPAA and SOC2 compliant?
- What features and functionality do your logistics software provider offer you to help with HIPAA compliant shipping?
- Do your contracts with vendors possibly handle, storing, or shipping PHI state compliance up to HIPAA standards?
- Are your vendor's access to PHI limited to data necessary to do their job-related functions?
- Do your vendors destroy or dispose of PHI once no longer needed based on established record-management procedures and policies?
- Do your vendors take steps to ensure proper verification of received PHI transmitted to them?
- Are the vendors work areas where they keep documents with PHI in a secure location with limited physical or electronic access?
- Are there special precautions taken by vendors while doing fieldwork or at home, ensuring that PHI in company-issued devices like laptops and mobile phones are secured?
What Is The Conduit Exception Rule?
The HIPAA conduit exception rule allows HIPAA-covered entities to engage the services of certain vendors without the need to enter into a business associate agreement stating compliance with HIPAA. The rule applies to entities that transmit PHI but do not have access to them and are incapable of storing them for extended periods of time. These companies merely act as conduits via which PHI flows. Entities covered by this exception rule are the United States Postal Service, private couriers like UPS, FedEx, and DHL. Internet service providers are also considered conduits too.
The conduit exception rule does not cover logistics and delivery companies that have access to PHI and the ability to store the data as well. Thus, businesses must be careful in classifying themselves as conduits since misclassification can lead to significant financial penalties.
What Are the Penalties for Non-Compliance to HIPAA?
There's a high price to pay for failing to comply with HIPAA requirements. Companies caught in violation of the law can pay civil fines anywhere from $100 to $50,00 per violation or up to $1.5 million per year. There are also criminal penalties to face that may include a fine of up to $50,000 plus possible imprisonment of up to 12 months. Criminal penalties for offenses done under false pretenses could cost violators $100,000 and/or imprisonment of up to five years. It's even worse for crimes committed with intent to use PHI for commercial advantage as the monetary fine is up to $250,000 and possible imprisonment of up to 10 years.
Business associates, including delivery and logistics firms, are not exempt from the penalties as those found to have been willfully negligent could also face civil penalties. Aside from the fines, companies will also suffer from possible irreparable damage to their brand due to the negative publicity.
How Can Delivery Providers Simplify HIPAA Compliance?
Compliance with HIPAA is a must for all individuals and organizations handling PHI, including companies engaged in logistics and delivery. Fortunately, you can ensure strict adherence to HIPAA among software vendors as long as you choose one that's already HIPAA certified.
At DispatchTrack, we take pride in our ability to not only offer best-in-class technological solutions but also for being compliant with privacy laws. And we have the HIPAA and SOC2 certifications to prove our commitment to upholding the highest data protection standards. In this way, we're able to easily help organizations optimize their last mile deliveries—even when HIPAA compliance is a factor.