Four HIPAA Compliance Tips for Business Associates
The HITECH Act was a long-time coming, especially because it holds business associates of covered entities accountable for compliance with the HIPAA Security Rule and the use of disclosure provisions of the privacy rule.
It’s crucial for two particular reasons, according to Daniel Nutkis, CEO of The Health Information Trust Alliance (HITRUST):
- Security is only as strong as the weakest link, meaning while a covered entity may be secure, their business associate may not, effectively cancelling out the controls in place and reintroducing the risk of a breach of personal health information (PHI).
- The compliance requirements will force both covered entities and business associates to evaluate the scope of connectivity and information shared (i.e., can these services be provided without sharing PHI). Both of these items will tighten the scope and security around PHI, reducing the risk of disclosure and breaches of patient privacy.
HealthLeaders Media: Business associates must now comply with HIPAA Security Rule and provisions about disclosures in the privacy rule per the HITECH Act. How do you see the industry—covered entities and business associates—handling this?
Nutkis: Internally, both covered entities and business associates should be defining or updating their programs for business partner compliance management. At a high level, HITRUST recommends organizations take the following steps:
- Perform gap analysis of the current compliance process. The analysis should included internal policies, procedures, and contracts against a common checklist of requirements that include HIPAA, HITECH, and other applicable regulations.
- Develop or revise a business partner compliance program. The gap analysis will provide management with a clear understanding of what is needed for the purposes of allocating dollars, resources, and time, and how to prioritize these activities.
- Coordinate compliance with business partners. Once a program is in place or has been appropriately revised, it is time to start coordinating compliance with your partners, including customers, service providers, and peers. The value of compliance is limited if costs are high and timeframes are long; coordinating with others on a common approach and set of requirements will help contain these issues and reduce exposure.
- Implement and maintain compliance. Revise contracts with business partners as they expire, include addendums, and ensure new contracts are up-to-par with the new program. Ensure compliance is maintained through notification of any violations. Organizations can minimize issues by maintaining a list of security contacts with each partner.
- Senators Hear How Two-Midnight Rule Harms Patients, Hospitals
- 3 Management Lessons from a Supermarket Debacle
- Handshaking Spreads Germs. Get Over It.
- Healthcare Costs Start With What We Eat
- Hospitals Likely to Outsource ICD-10 at Launch
- IOM Identifies GME Problems, Calls for Finance Changes
- CMS Confirms ICD-10 Deadline
- Anatomy of 3 Health System Rebranding Efforts
- Premium Subsidy Fight Creating Uncertainty for Hospitals, Health Plans
- Medicare Advantage Carriers See 'No Choice' But to Accept Cuts