Besides stimulating the economy, the new American Recovery and Reinvestment Act aims to modify the Privacy and Security Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). For ISOs and MSPs in the health-care market, that could mean new levels of risk and responsibility.

The issue of whether an ISO or MSP qualifies as a “covered entity” under HIPAA, and is therefore required to comply is not entirely clear-cut, says Mary Dees Griffith, president and COO of Preferred Health Technology in Carrollton, Texas. Griffith, whose company provides electronic payment, processing, and ancillary services to health-care entities, notes that while “a financial institution or payment processor may not be technically exempt from HIPAA, it also may not necessarily fall into the covered entity category in accordance with Administrative Simplification Standards adopted by Health and Human Services (HHS) under HIPAA.”

Download the full PDF