Eight Tips to Get Your Business Associates to Comply with HIPAA
Your business associates (BAs) must comply with the HIPAA Security Rule beginning February 18, 2010.
That mandate is part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law by President on Obama February 17, 2009.
If complying with the HIPAA Security Rule sounds like a large task for, say, a small billing and coding company, well, that's because it is.
Encryption. Destruction. Firewall protection. There's a lot to it.
And their problem is your problem. After all, it's your patients' information at stake.
If your BA is good, you're good. If they're bad, well…just picture the front page of your local newspaper with your facility's name next to the word "breach" in a headline.
So where do your BAs begin? Hopefully, they've already started.
Here are eight tips you can share with your BAs to get them ahead of the HIPAA compliance deadline next February:
1. Perform a risk assessment.
Determine your primary vulnerabilities. "Find what your biggest threats to the security of your PHI are," says Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, privacy, security, and compliance consultant at Rebecca Herold & Associates, LLC, in Des Moines, IA. "You need to know where you are before you begin to form your policies and procedures. Check on the last time you had a security assessment, if ever, and start from there."
2. Make your own way.
As a BA, you must understand that you are responsible for your own compliance program, regardless of contract terms with a covered entity, says John R. Christiansen, an information technology lawyer at Seattle's Christiansen IT Law.
"You need to be responsible for your own security program with HIPAA," says Christiansen, chair of the newly formed HITECH Business Associates Task Force of the American Bar Association's Health Law Section and the HITRUST Business Associates Working Group of the Health Information Trust Alliance.
Do not simply accept what is thrown your way, he says. "Your program should be built based upon your organization's own unique risks," says Herold. "That's what your risk assessment will reveal."