Skip to main content

3 Tips For HIPAA Privacy Officers

 |  By jsimmons@healthleadersmedia.com  
   September 07, 2010

The HIPAA compliance world awaits two major final rules per HITECH—the breach notification final rule and the rule that covers modifications to the privacy, security and enforcement rules.

But that’s no reason to sit idle.

Here are a few tips for HIPAA privacy and security officers as they await the final rules:

1. Focus on business associates (BAs) and contracts with them. CEs need to be certain that they have identified all of their BAs and that they are bound by BA agreements, says John C. Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD.

HITECH made BAs subject to compliance with the HIPAA Security Rule and the use and disclosure provisions of the HIPAA Privacy Rule.

The proposed rule makes it clear that HIPAA and HITECH apply to BAs and require them to comply with most of the same rules as CEs. If they haven’t done so already, CEs must review their BA agreements to ensure that they include appropriate language, says Phyllis A. Patrick, MBA, FACHE, CHC, cofounder and managing director of AP Health Care Compliance Group, which has offices in Pittsburgh and Purchase, NY.


CEs must ensure that their BA agreements emphasize the need for BAs to be up to date with the latest HITECH requirements pertaining to the HIPAA privacy and security rules and enforcement compliance/outcomes for noncompliance, says Parmigiani.

BAs need to make sure BA contracts are in place for all of their CE customers. HITECH made BAs equally responsible for entering in to a BA contract with CE customers. BAs should ensure the contracts include language that puts the CE on notice that the BA is required to inform the CE if the CE appears to be violating the HIPAA privacy and security rules. If the CEs don’t comply with the rules within a reasonable length of time, BAs are required to report CE violations that to OCR.

BA contracts should address the role of BAs in a privacy breach in more specific language. Address questions such as breach notification requirements and financial responsibility for responding to a breach, says Patrick. “All that needs to be spelled out,” she says.

HITECH addressed the need for BA compliance. The proposed rule would extend compliance requirements to BA subcontractors by expanding the definition of BA to include them.

CEs are required to include language in BA contracts that mandate downstream compliance with the HIPAA privacy and security rules by BAs’ subcontractors with access to the CE’s PHI, says Parmigiani. Be sure BA contracts require BAs to impose compliance requirements on subcontractors.

2. Focus on working relationships with BAs. Sometimes CEs sign contracts with their BAs and their interaction ends there. “You have agreements with people who have never even met each other,” says Patrick. CEs need to know they can count on their BAs if a security breach occurs, she says. That’s when you want to be able to pick up the phone to communicate with your BA and know you can rely on people there. There must be a good working relationship between the BA, the department head who works most closely with that BA, and the HIPAA privacy and security officer.

This is especially true for BAs who work with a large quantity of PHI. This can include vendors involved in IT, electronic data interchange, third-party billing, health plans, and pharmacy benefits.

3. Create an informal forum to bring together privacy and security officers with other staff members concerned with patient safety. The proposed rule would revise the privacy rule’s definition of healthcare operations to include a reference to patient safety activities. Patient Safety Organizations, which receive reports of patient safety events or concerns from providers and analyze events, will be considered BAs of covered healthcare providers.

Patrick says patient privacy should be considered a piece of the regulatory pie, along with safety and quality. At many healthcare organizations, privacy and security programs and patient safety programs operate in silos, she says. The proposed rule will make it more important for HIPAA privacy and security officers to reach out to staff members involved in quality and patient safety at their organizations.

A group consisting of representatives of those programs met monthly and provided a forum to discuss common issues at a hospital where Patrick once worked. Members provided updates so everyone knew what was happening in other programs. Organizations that do this may also consider involving representatives from the patient relations department.

This type of forum is a good place to address risk assessments together, Patrick says. The meetings can be confidential with no minutes or record necessary.

“This is a way of breaking down silos. It helps everyone in the long run,” she says. “I would urge every organization to start a forum, even if you start with two or three people. It will pay dividends.”

Correspondent Joanne Finnegan contributed to this report.

Janice Simmons is a senior editor and Washington, DC, correspondent for HealthLeaders Media Online. She can be reached at jsimmons@healthleadersmedia.com.

Tagged Under:


Get the latest on healthcare leadership in your inbox.