Four HIPAA Compliance Tips for Business Associates
The HITECH Act was a long-time coming, especially because it holds business associates of covered entities accountable for compliance with the HIPAA Security Rule and the use of disclosure provisions of the privacy rule.
It’s crucial for two particular reasons, according to Daniel Nutkis, CEO of The Health Information Trust Alliance (HITRUST):
- Security is only as strong as the weakest link, meaning while a covered entity may be secure, their business associate may not, effectively cancelling out the controls in place and reintroducing the risk of a breach of personal health information (PHI).
- The compliance requirements will force both covered entities and business associates to evaluate the scope of connectivity and information shared (i.e., can these services be provided without sharing PHI). Both of these items will tighten the scope and security around PHI, reducing the risk of disclosure and breaches of patient privacy.
HealthLeaders Media: Business associates must now comply with HIPAA Security Rule and provisions about disclosures in the privacy rule per the HITECH Act. How do you see the industry—covered entities and business associates—handling this?
Nutkis: Internally, both covered entities and business associates should be defining or updating their programs for business partner compliance management. At a high level, HITRUST recommends organizations take the following steps:
- Perform gap analysis of the current compliance process. The analysis should included internal policies, procedures, and contracts against a common checklist of requirements that include HIPAA, HITECH, and other applicable regulations.
- Develop or revise a business partner compliance program. The gap analysis will provide management with a clear understanding of what is needed for the purposes of allocating dollars, resources, and time, and how to prioritize these activities.
- Coordinate compliance with business partners. Once a program is in place or has been appropriately revised, it is time to start coordinating compliance with your partners, including customers, service providers, and peers. The value of compliance is limited if costs are high and timeframes are long; coordinating with others on a common approach and set of requirements will help contain these issues and reduce exposure.
- Implement and maintain compliance. Revise contracts with business partners as they expire, include addendums, and ensure new contracts are up-to-par with the new program. Ensure compliance is maintained through notification of any violations. Organizations can minimize issues by maintaining a list of security contacts with each partner.
- MU Compliance Announcement Sparks Concern, Confusion
- New G-Codes to Pay Doctors for Broad Array of Non-Face-to-Face Care
- Scary Financial Challenges for 2014
- MGMA Urges 'End-to-End' ICD-10 Testing
- Telehealth Improves Patient Care in ICUs
- 1 in 5 CT Screenings for Lung Cancer Results in Overdiagnosis
- CMS Sets 2014 Pay Rates for Hospital Outpatient and Physician Services
- LifePoint Bolsters Presence in Michigan's Upper Peninsula
- States Rejecting Medicaid Expansion Forgo Billions in Federal Funds
- Douglas Hawthorne—A Chance to Do Something Big