UNDERSTANDING HIPAA COMPLIANCE REQUIREMENTS: By now, HHS has made it abundantly clear what is required to both covered entities and business associates. If you have followed HIPAA breach news at all in enforcement efforts, you know that fines are being assessed. What's more, the OCR promises to audit business associates from this point forward now that they are included under HIPAA Omnibus. We have seen varying degrees of preparedness by business associates ranging from statements about their platform compliance to those who say, "Well, we have never experienced a breach," to those who think their business associate agreement is all that is needed. Really - are you sure about that? If there are no policies in place or education for your staff to understand incident reporting requirements, how do you really know if you've ever had a breach?
MANY BUSINESS ASSOCIATES ARE NOT PREPARED: With the HITECH act of 2009, we knew about the extensions of HIPAA to business associates and should have been fully prepared since or before that time. We have had access to the HIPAA audit protocol since the summer of 2012. This is an absolute roadmap to a solid compliance strategy. It is not difficult to understand exactly what is needed for compliance, yet many business associates continue to fall short. Here is a case to consider that should give you considerable pause: If a business associate hires an employee and provides that individual with a desktop computer or laptop to do their work, and the employee a year later, suddenly disappears without a trace from the workforce with said computer that likely contains PHI (it happens all the time, folks), is that a breach? Does that business associate know how to reasonably account for the potential PHI on that system? Without policies and procedures, a breach notification response team, and reporting processes through the required 4-step risk assessment, will the covered entity even be notified?
COVERED ENTITIES ARE UNCLEAR ON DUE DILIGENCE: There is an expectation of due diligence steps to be undertaken by covered entities in ensuring their business associate partners have taken appropriate steps towards compliance. This is one of the single most important steps healthcare organizations and individual providers should be taking to protect their patients' PHI. The new guidance from AHIMA clearly mentions the value and importance of this key step in the process. Yet, still today, this is not happening on nearly a wide enough scale.
KEY TASKS TO DO (yesterday) NOW:
Business Associates -
1. Do not delay in preparing to comply with all regulations under HIPAA
2. Get your policies and procedures documented (privacy, security, breach notification)
3. Train ALL workforce members and document that training has taken place. Hold them accountable for what they have learned.
4. Update your BAAs - this is particularly important for those who hire independent contractors.
5. Conduct your comprehensive security risk analysis. Yes you do have to do one, regardless of the size of your organization and it must be documented.
Covered Entities/Providers -
1. Make a list of ALL business associates.
2. Make sure that they have signed your updated business associate agreement - even if it is not due yet, proactively get these completed.
3. Ensure that you know where the work you are outsourcing is being performed.
4. Ask for evidence-based proof of compliance (excerpts from policies, copy of BAA, risk analysis, etc.).
5. Ask for the name of your business associates' privacy officer - get their name and contact information and establish open dialogue about their compliance efforts today!
Compliance does not have to be expensive or burdensome, but it is required. Failure to comply with HIPAA can lead to an automatic willful neglect penalty. With over 12 million patients impacted by business associate breaches since 2009, there is clearly much room for improvement in practices along with baseline requirements of the law. If you want more information on how we can help, contact us here.
