02-16-12 | Blog Post

Business Associates Must Be HIPAA Compliant By March 2012

Blog Posts

While the Department of Health and Human Services (HHS) shows that business associate-related HIPAA breaches were responsible for 62 percent of the total number of patient records breached (as seen in this blog post), there has not been government legal action taken against business associates until recently.

Minnesota’s Attorney General is suing a business associate over an unencrypted data breach incident that occurred last year when a laptop containing 23,500 patient records was stolen from the business associate’s car. Accretive Health is a licensed debt collector that also provides a patient analysis service for hospitals.

Part of the reason why they were targeted may be linked to further complexity of the case – not only did Accretive Health suffer from a data breach, but the lawsuit claims they were also accessing and using patient data without the knowledge or consent of patients. One of their services provided the probability of a patient’s hospital admittance and their calculated potential financial worth to the patient’s healthcare provider, all based on perceived risk factors from their personal health information, according to the claim (PDF).

Another major HIPAA violation case involving a business associate was the Department of Defense’s military healthcare program, in which nearly the exact same incident occurred – a contractor employee left an unencrypted laptop in their car and it was stolen. About 4.9 million patients were affected. A lawsuit was filed by a few of the affected patients, and in the claim, they indicated the need for all contractor employees to be properly trained in how to handle personal health information (PHI).

Modifications to HIPAA Applicability

Are business associates lax on HIPAA compliance because the law has no teeth? That’ll change very soon – according to HealthCareInfoSecurity.com, March 2012 is the target date to release a final version of the HIPAA modifications and breach notification rule (also known as the Omnibus rule, meaning for all in Latin). And in the proposed version of HIPAA modifications, business associates will be required to comply with the HIPAA standards, as seen in the change to the §164.104 Applicability rule:

When a health care clearinghouse creates or receives protected health information as a business associate of another covered entity, or other than as a business associate of a covered entity, the clearinghouse must comply with §164.105 relating to organizational requirements for covered entities, including the designation of health care components of a covered entity.

Roadmap to Achieving Compliance

How can a business associate avoid a potential HIPAA violation, subsequent lawsuits and fines? Try the following:

  • Conduct and document an initial risk assessment/analysis in order to check where your business is at when it comes to implementing HIPAA security safeguards, and where you need to fill in the gaps. This list of the Nine Components of a HIPAA Risk Analysis provides a good high-level overview of what you need to include in your document.
  • Research and understand the HIPAA standards, and your role in handling PHI. As a HIPAA compliant hosting provider, Online Tech never accesses PHI or data on clients’ servers, we only provide the secure infrastructure necessary to protect sensitive information in a fully compliant environment.
  • Draft a business associate agreement (BAA) that clearly defines your role and obligation in handling a client’s sensitive data. Include clauses about contract termination, data ownership and breach notification. What’s in a Business Associate Agreement? provides a summary of the primary provisions to include in your BAA.
  • Ideally, invest in an independent HIPAA audit of your business in order to have the assurance and verification that your policies, procedures and services are in compliance. If you need guidance on which IT components can help you achieve compliance, read our HIPAA FAQ.
  • Train all of your employees in HIPAA compliant policies and procedures as they affect the day-to-day operations of your company and according to the level of security needed by position – an employee that transports sensitive data will need more specific guidelines to stay compliant and prevent a data breach. Document proof of employee training and awareness.
  • Appoint a Risk Management and Security Officer position in your company to implement, manage and oversee compliance and ensure everyone is following the documented policies and procedures, preferably someone with a strong technical background.

Or are you a covered entity that needs assurance their business associates are handling PHI in a HIPAA compliant manner? Read our E-Tip on the top Five Questions to Ask Your HIPAA Hosting Provider.

References:
March Target for HIPAA Modifications
State of Minnesota vs. Accretive Health, Inc. (PDF)
Minnesota Sues Consulting Firm Over Lost Health Data

While the Department of Health and Human Services (HHS) shows that business associate-related HIPAA breaches were responsible for 62 percent of the total number of patient records breached (as seen in this blog post), there has not been government legal action taken against business associates until recently.

Minnesota’s Attorney General is suing a business associate over an unencrypted data breach incident that occurred last year when a laptop containing 23,500 patient records was stolen from the business associate’s car. Accretive Health is a licensed debt collector that also provides a patient analysis service for hospitals.

Part of the reason why they were targeted may be linked to further complexity of the case – not only did Accretive Health suffer from a data breach, but the lawsuit claims they were also accessing and using patient data without the knowledge or consent of patients. One of their services provided the probability of a patient’s hospital admittance and their calculated potential financial worth to the patient’s healthcare provider, all based on perceived risk factors from their personal health information, according to the claim (PDF).

Another major HIPAA violation case involving a business associate was the Department of Defense’s military healthcare program, in which nearly the exact same incident occurred – a contractor employee left an unencrypted laptop in their car and it was stolen. About 4.9 million patients were affected. A lawsuit was filed by a few of the affected patients, and in the claim, they indicated the need for all contractor employees to be properly trained in how to handle personal health information (PHI).

Modifications to HIPAA Applicability

Are business associates lax on HIPAA compliance because the law has no teeth? That’ll change very soon – according to HealthCareInfoSecurity.com, March 2012 is the target date to release a final version of the HIPAA modifications and breach notification rule (also known as the Omnibus rule, meaning for all in Latin). And in the proposed version of HIPAA modifications, business associates will be required to comply with the HIPAA standards, as seen in the change to the §164.104 Applicability rule:

When a health care clearinghouse creates or receives protected health information as a business associate of another covered entity, or other than as a business associate of a covered entity, the clearinghouse must comply with §164.105 relating to organizational requirements for covered entities, including the designation of health care components of a covered entity.

Roadmap to Achieving Compliance

How can a business associate avoid a potential HIPAA violation, subsequent lawsuits and fines? Try the following:

  • Conduct and document an initial risk assessment/analysis in order to check where your business is at when it comes to implementing HIPAA security safeguards, and where you need to fill in the gaps. This list of the Nine Components of a HIPAA Risk Analysis provides a good high-level overview of what you need to include in your document.
  • Research and understand the HIPAA standards, and your role in handling PHI. As a HIPAA compliant hosting provider, Online Tech never accesses PHI or data on clients’ servers, we only provide the secure infrastructure necessary to protect sensitive information in a fully compliant environment.
  • Draft a business associate agreement (BAA) that clearly defines your role and obligation in handling a client’s sensitive data. Include clauses about contract termination, data ownership and breach notification. What’s in a Business Associate Agreement? provides a summary of the primary provisions to include in your BAA.
  • Ideally, invest in an independent HIPAA audit of your business in order to have the assurance and verification that your policies, procedures and services are in compliance. If you need guidance on which IT components can help you achieve compliance, read our HIPAA FAQ.
  • Train all of your employees in HIPAA compliant policies and procedures as they affect the day-to-day operations of your company and according to the level of security needed by position – an employee that transports sensitive data will need more specific guidelines to stay compliant and prevent a data breach. Document proof of employee training and awareness.
  • Appoint a Risk Management and Security Officer position in your company to implement, manage and oversee compliance and ensure everyone is following the documented policies and procedures, preferably someone with a strong technical background.

Or are you a covered entity that needs assurance their business associates are handling PHI in a HIPAA compliant manner? Read our E-Tip on the top Five Questions to Ask Your HIPAA Hosting Provider.

References:
March Target for HIPAA Modifications
State of Minnesota vs. Accretive Health, Inc. (PDF)
Minnesota Sues Consulting Firm Over Lost Health Data

Overwhelmed by cloud chaos?
We’re cloud experts, so you don’t have to be.

© 2024 OTAVA® All Rights Reserved