Four HIPAA Compliance Tips for Business Associates
The HITECH Act was a long-time coming, especially because it holds business associates of covered entities accountable for compliance with the HIPAA Security Rule and the use of disclosure provisions of the privacy rule.
It’s crucial for two particular reasons, according to Daniel Nutkis, CEO of The Health Information Trust Alliance (HITRUST):
- Security is only as strong as the weakest link, meaning while a covered entity may be secure, their business associate may not, effectively cancelling out the controls in place and reintroducing the risk of a breach of personal health information (PHI).
- The compliance requirements will force both covered entities and business associates to evaluate the scope of connectivity and information shared (i.e., can these services be provided without sharing PHI). Both of these items will tighten the scope and security around PHI, reducing the risk of disclosure and breaches of patient privacy.
HealthLeaders Media: Business associates must now comply with HIPAA Security Rule and provisions about disclosures in the privacy rule per the HITECH Act. How do you see the industry—covered entities and business associates—handling this?
Nutkis: Internally, both covered entities and business associates should be defining or updating their programs for business partner compliance management. At a high level, HITRUST recommends organizations take the following steps:
- Perform gap analysis of the current compliance process. The analysis should included internal policies, procedures, and contracts against a common checklist of requirements that include HIPAA, HITECH, and other applicable regulations.
- Develop or revise a business partner compliance program. The gap analysis will provide management with a clear understanding of what is needed for the purposes of allocating dollars, resources, and time, and how to prioritize these activities.
- Coordinate compliance with business partners. Once a program is in place or has been appropriately revised, it is time to start coordinating compliance with your partners, including customers, service providers, and peers. The value of compliance is limited if costs are high and timeframes are long; coordinating with others on a common approach and set of requirements will help contain these issues and reduce exposure.
- Implement and maintain compliance. Revise contracts with business partners as they expire, include addendums, and ensure new contracts are up-to-par with the new program. Ensure compliance is maintained through notification of any violations. Organizations can minimize issues by maintaining a list of security contacts with each partner.
- Healthcare Leaders Seek Strategic Sweet Spot
- 3 Reasons Wellness Programs Fail
- CMS Issues Health Insurance Exchange Proposed Rules
- Patients Shoulder Nearly 25% of Medical Bills
- ACOs Widespread, Yet Challenged
- MGMA: Physician Compensation Increasingly Based on Quality Measures
- Healthcare Costs 'An Abomination' Says Senate Finance Committee Chair
- Healthcare Consolidation: M&A Not the Only Way
- 6 CNO-to-CEO Strategies
- PwC: Pace of Rising Medical Costs Slowing