Your business associates (BAs) must comply with the HIPAA Security Rule beginning February 18, 2010.
That mandate is part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law by President on Obama February 17, 2009.
If complying with the HIPAA Security Rule sounds like a large task for, say, a small billing and coding company, well, that's because it is.
Encryption. Destruction. Firewall protection. There's a lot to it.
And their problem is your problem. After all, it's your patients' information at stake.
If your BA is good, you're good. If they're bad, well…just picture the front page of your local newspaper with your facility's name next to the word "breach" in a headline.
So where do your BAs begin? Hopefully, they've already started.
Here are eight tips you can share with your BAs to get them ahead of the HIPAA compliance deadline next February:
1. Perform a risk assessment.
Determine your primary vulnerabilities. "Find what your biggest threats to the security of your PHI are," says Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, privacy, security, and compliance consultant at Rebecca Herold & Associates, LLC, in Des Moines, IA. "You need to know where you are before you begin to form your policies and procedures. Check on the last time you had a security assessment, if ever, and start from there."
2. Make your own way.
As a BA, you must understand that you are responsible for your own compliance program, regardless of contract terms with a covered entity, says John R. Christiansen, an information technology lawyer at Seattle's Christiansen IT Law.
"You need to be responsible for your own security program with HIPAA," says Christiansen, chair of the newly formed HITECH Business Associates Task Force of the American Bar Association's Health Law Section and the HITRUST Business Associates Working Group of the Health Information Trust Alliance.
Do not simply accept what is thrown your way, he says. "Your program should be built based upon your organization's own unique risks," says Herold. "That's what your risk assessment will reveal."
3. Run a gap analysis on covered entity contracts.
HITECH is new, and existing contracts will probably leave gaps. "We haven't been in this world before," Christiansen says. "Find your gaps and what you will do about them."
You may want to wait for further regulations before you finalize your contracts. However, start by consulting your legal team. You may need to provide a contract in the future, but the onus now is only on the covered entity, according to current law.
4. Don't rewrite the entire contract.
"The changes to the BA contracts should be minimal," says Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR. Apgar suggests including a new short statement or paragraph indicating that the BA must now comply with the HIPAA security rule and the use and disclosure provisions of the privacy rule.
5. Add breach notification language to BA contracts.
The language should require the BA to notify the covered entity within five days of a breach, Apgar says. This aligns with the new California breach notification requirement regarding the notification to the state that a breach has occurred and addresses the issue of when the 60-day notification clock starts.
"Also, I would recommend adding language requiring that the BA pay the cost of notification, which could get rather expensive if the breach includes a significant number of individuals," Apgar says.
6. Add language about the Red Flags Rule.
Covered entities (primarily providers) should consider adding additional language to the BA contract requiring that certain BAs implement identity theft management programs, Apgar says. The Red Flags Rule requires covered entities considered to be creditors by FTC standards to adopt an identity theft prevention program by August 1.
7. Build your breach notification processes.
This is perhaps the biggest change for BAs. Christiansen says BAs must put a policy in writing per the HITECH Act. "You need to be able to coordinate this by fall [of 2009] at the latest," he says. "This is going to be a big issue for a lot of BAs."
8. Train, train, train.
Herold says she's seen horrible training in the BA community. "Make sure your policies document the need for regular training, along with ongoing awareness communications," she says. "Then use effective training content. Just throwing words in front of your personnel is not training."
Get your hands on HIPAA resources, such as training books, e-learning courses, and webinars. Check with your covered entities to see what they have done.
Editor's note: These tips were taken from the HCPro, Inc. white paper, Business Associates and HIPAA What BAs need to know to comply with HIPAA privacy and security rules. Download a free copy of the full white paper.
Sign up for HCPro, Inc.'s July 29 audio conference, Business Associates and Covered Entities: Adapt Contracts to Comply With New HIPAA Law.