Reproduced from [name of publication] © 2008 HCPro, Inc., 200 Hoods Lane, Marblehead, MA 01945. 781/639-1872. www.hcpro.com. Used with permission.
Your business associates (BAs) must comply with the HIPAA Security Rule beginning February 18, 2010. That mandate is part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law by President on Obama February 17, 2009. If complying with the HIPAA Security Rule sounds like a large task for, say, a small billing and coding company, well, that's because it is. Encryption. Destruction. Firewall protection. There's a lot to it.
And their problem is your problem. After all, it's your patients' information at stake. If your BA is good, you're good. If they're bad, well…just picture the front page of your local newspaper with your facility's name next to the word "breach" in a headline. So where do your BAs begin? Hopefully, they've already started.
Here are eight tips you can share with your BAs to get them ahead of the HIPAA compliance deadline next February:
1. Perform a risk assessment.
Determine your primary vulnerabilities. Find what your biggest threats to the security of your PHI are. You need to know where you are before you begin to form your policies and procedures. Check on the last time you had a security assessment, if ever, and start from there.
2. Make your own way.
As a BA, you must understand that you are responsible for your own compliance program, regardless of contract terms with a covered entity. You need to be responsible for your own security program with HIPAA. Do not simply accept what is thrown your way – Your program should be built based upon your organization's own unique risks. That's what your risk assessment will reveal.
3. Run a gap analysis on covered entity contracts.
HITECH is new, and existing contracts will probably leave gaps. We haven't been in this world before; Find your gaps and what you will do about them. You may want to wait for further regulations before you finalize your contracts. However, start by consulting your legal team. You may need to provide a contract in the future, but the onus now is only on the covered entity, according to current law.
4. Don't rewrite the entire contract.
The changes to the BA contracts should be minimal. Include a new short statement or paragraph indicating that the BA must now comply with the HIPAA security rule and the use and disclosure provisions of the privacy rule.
5. Add breach notification language to BA contracts.
The language should require the BA to notify the covered entity within five days of a breach. Also add language requiring that the BA pay the cost of notification, which could get rather expensive if the breach includes a significant number of individuals.
6. Add language about the Red Flags Rule.
Covered entities (primarily providers) should consider adding additional language to the BA contract requiring that certain BAs implement identity theft management programs. The Red Flags Rule requires covered entities considered to be creditors by FTC standards to adopt an identity theft prevention program by August 1.
7. Build your breach notification processes.
This is perhaps the biggest change for BAs. BAs must put a policy in writing per the HITECH Act. You need to be able to coordinate this by fall [of 2009] at the latest – This is going to be a big issue for a lot of BAs.
8. Train, train, train.
I’ve seen horrible training in the BA community. Make sure your policies document the need for regular training, along with ongoing awareness communications, and then use effective training content. Just throwing words in front of your personnel is not training.
Get your hands on HIPAA resources, such as training books, e-learning courses, and webinars. Check with your covered entities to see what they have done.