HIPAA Blog Posts: HIPAA Business Associates
The Health Insurance Industry is Leaking HIPAA Data: A cursory examination of the Wall of Shame which records HIPAA data breaches of more than 500 records reveals that insurance companies are leaking data, in fact by my calculations they have leaked over 3.5 million patient records.
One big item in the news today is increased HIPAA audits and fines coming from HHS and the other discusses monitoring of HIPAA business associates, which should you fear the most? This is an example of Hobson's Choice or Morton's Fork where neither choice is good but the monitoring can cause an immediate loss of revenue versus a possible fine somewhere in the future in the case of a audit from HHS.
Big HIPAA breaches are primarily electronic (EPHI) but 61% of small HIPAA breaches (<500) are paper records. Mass General paid a $1 million dollar fine for the loss of 192 paper patient records. An employee left the paper records on the subway and they were never found.
Insurance producers as well as their agents are being asked to provide proof of HIPAA compliance by the insurance carriers. They are asking for copies of policies and procedures as well as risk assessments.
Here is Health and Human Service quote about HIPAA certification; " It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation."
Getting HIPAA compliant requires some work but for most business associates it does not have to be unmanageable task. The important thing is to have a plan and document your work.
A HIPAA breach involving the posting of information about 15,000 Boston Medical Center patients on a transcription firm's unsecured website serves as a reminder of the importance of monitoring the security practices of all business associates.
HIPAA is the Health Insurance Portability and Accountability Act and Hippa is the feminine of Hippo. Forgive the bad joke, but getting this wrong causes a red flag warning to everyone in the healthcare privacy and security industry. If it is just a typo then you might get forgiveness after everyone gets a good chuckle. If it indicates your lack of knowledge it can be a bigger problem.
In the next round of HIPAA audits the first stage will be a "desk audit" which will require the business associate to send copies of their latest risk assessment and copies of updated policies and procedures. The HIPAA Omnibus Rule took effect in September of 2013 and requires significant changes in policies and procedures. Policies and procedures written prior to the HIPAA Omnibus Rule are out of date.
A HIPAA compliance checklist gives you a snapshot view of your compliance while our Compliance Meter (tm) displays your on-going HIPAA compliance, why is that important? HHS says that HIPAA compliance is a process not an event, in fact it is an on-going process because things change in your company and that affects your HIPAA compliance. The Compliance Meter (tm) shows you and your business partners your level of compliance on and on-going basis.