Your business associates (BA) must comply with the HIPAA security rule beginning February 18, 2010.
That mandate is part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law by President Obama February 17.
If complying with the HIPAA security rule sounds like a large task for a small billing and coding company, that’s because it is. Encryption. Destruction. Firewall protection. There’s a lot to it. And your BA’s problem is your problem. After all, it’s your patients’ information at stake.
If your BA is bad, well … just picture the front page of your local newspaper with your facility’s name next to the word “breach” in a headline. So where do your BAs begin? Hopefully, they’ve already started.
The following are eight tips you can share with your BAs to get them ahead of the HIPAA compliance deadline:
1. Perform a risk assessment. Determine your primary vulnerabilities. “Find what your biggest threats to the security of your PHI are,” says Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, privacy, security, and compliance consultant at Rebecca Herold & Associates, LLC, in Des Moines, IA. “You need to know where you are before you begin to form your policies and procedures. Check on the last time you had a security assessment, if ever, and start from there.”
2. Make your own way. As a BA, you must understand that you are responsible for your compliance program, regardless of contract terms with a covered entity, says John R. Christiansen, lawyer at Seattle’s Christiansen IT Law and chair of the newly formed HITECH Business Associates Task Force of the American Bar Association’s Health Law Section and the HITRUST Business Associates Working Group of the Health Information Trust Alliance.
“You need to be responsible for your own security program with HIPAA,” says Christiansen. Do not simply accept what is thrown your way, he says.
“Your program should be built based upon your organization’s own unique risks,” says Herold. “That’s what your risk assessment will reveal.”
3. Run a gap analysis on covered entity contracts. HITECH is new, and existing contracts will probably leave gaps. “We haven’t been in this world before,” Christiansen says. “Find your gaps and what you will do about them.”
You may want to wait for further regulations before you finalize your contracts. However, you can start by consulting your legal team. You may need to provide a contract in the future, but the onus now is only on the covered entity, according to current law.
4. Don’t rewrite the entire contract. “The changes to the BA contracts should be minimal,” says Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR. Apgar suggests including a new short statement or paragraph indicating that the BA must now comply with the HIPAA security rule and the use and disclosure provisions of the privacy rule.
5. Add breach notification language to BA contracts. The language should require the BA to notify the covered entity within five days of a breach, says Apgar.
This aligns with the new California breach notification requirement regarding notification to the state that a breach has occurred and addresses the issue of when the 60-day notification clock starts.
“Also, I would recommend adding language requiring that the BA pay the cost of notification, which could get rather expensive if the breach includes a significant number of individuals,” Apgar says.
6. Add language about the Red Flags Rule. Covered entities (primarily providers) should consider adding additional language to the BA contract requiring that certain BAs implement identity theft management programs, Apgar says.
7. Build your breach notification processes. This is perhaps the biggest change for BAs. Christiansen says BAs must put a policy in writing in accordance with the HITECH Act.
“You need to be able to coordinate this by fall [of 2009] at the latest,” he says. “This is going to be a big issue for a lot of BAs.”
8. Train, train, train. Herold says she’s seen horrible training in the BA community.
“Make sure your policies document the need for regular training, along with ongoing awareness communications,” she says. “Then use effective training content. Just throwing words in front of your personnel is not training.”
Get your hands on HIPAA resources, such as training books, e-learning courses, and Webinars.
Check with your covered entities to see what they have done.