HIPAA HITETCH Compliance Blog Archive
First there was HIPAA, then HITECH, now Omnibus, what is a business associate supposed to do? Well since 60% of business associates surveyed had never heard of the Omnibus Rule get educated is critical.
The reasons an organization can't be "Certified HIPAA Compliant" are two fold; HHS has given no one authority to certify, and HIPAA compliance is an on-going, evolving process. A recent article from Scott & Scott LLP entitled "The challenges of compliance" encapsulates this nicely.
An employee of a covered entity was sentenced to 37 months in jail for violating HIPAA. regulations. In this case it was fraud since the employee was selling the patient records but in another famous case at UCLA it was caused by an employee "peeking" at famous patient's records.
OIG has stated that if a CE failed to perform even one measure of Meaningful Use they would have to return the stimulus funds and might be audited to determine if there was fraud. A Florida firm just had to pay back $31 million for falsely attesting to compliance.
AvMed paid a $3 million dollar class action settlement which is on top of any HIPAA penalties and costs. Penny wise pound foolish is an adage that applies to HIPAA compliance. Spend thousands to save millions.
What Next with HIPAA Omnibus? David Finn of Symantec on Top Compliance Challenges "It's going to be imperative that covered entities monitor and know what the business associates are doing, but they're not going to realistically be able to do that themselves."
Getting business associates HIPAA compliant in as little as 8 days requires technology, methodology and sound advice. Our partner, Rebecca Herold, CISSP, CIPP/US, CIPP/IT, CISM, CISA, FLMI, www.theprivacyprofessor.com was rated the number 3 privacy and security consultant in the world by Computerworld..
Disruptive innovation can provide low cost and efficient methods for HIPAA HITECH and Omnibus Rule compliance. The old model involved sending a consultant to the client with a policy and procedure manual under their arm but with SaaS or the cloud model we can send the consultant and the content over the Internet with interactive software.
HIPAA compliance software for business associates is different from HIPAA compliance software for covered entities. The difference is the need for on-going proof of compliance to satisfy their covered entities.
"So the education to help them understand their [new HIPAA] obligations, and to work with them to identity the bigger risk areas, and to create a corrective action plan or a remediation schedule - that's going to be an ongoing conversation for us. That is something that will never go away," Jeff Cobb, CISO at Capella Healthcare. The Tennessee-based health system, which operates 14 acute care and specialty hospitals in six states, deals with many smaller business associates that lack a mature security program
Are Your BAs HIPAA Compliant? "Think before you share, part III: is my data secure?" Foley & Lardner LLP Peter I. (Pete) Sanborn
"The general principle is to ensure the breadth and depth of the vendor’s security obligations are aligned with the sensitivity of the data. Additionally, the agreement should specify the vendor’s obligations in the event of a breach (both in terms of reporting/investigating the breach and in terms of paying for the downstream costs/expenses associated with notifying the impacted individuals), and your rights during the agreement to audit the vendor’s compliance with the security requirements.'
Time's up! Compliance deadline for HIPAA/HITECH final rules has arrived Blank Rome LLP Nicholas C. Harbist, Jennifer J. Daniels and Angela M. Guarino
"Relationship Review—Have you reviewed your relationship with vendors to ensure compliance with the Final Rules?'
Whether it is confusion or denial there are a lot of organizations that don't seem to understand that they are business associates and therefore are required to comply with HIPAA. The HITECH Act was passed in 2009 and amended HIPAA to include business associates, yet in 2013 we still get calls from people wanting to know if they are a business associate. Partually this is due to the fact that in 2010 HHS announced that they were delaying enforcement until the rules were published.
October 1, 2013 will be the beginning date for HIPAA audits of business associates. This is the beginning of the 2014 fiscal year for HHS and they will start setting up unannounced audits of business associates says Rachel Seeger, a spokesperson for the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA.
In the past a covered entity was not liable for breaches caused by their business associates if they had a BA agreement in place and did not know of a pattern of non-compliance. That has changed under the Omnibus Rule if the business associate is deemed an agent of the covered entity.
Ignorance of the HIPAA HITECH Omnibus Rule is rampant and can cause a lot of pain. We have developed a 10 question checklist to let you evaluate whether you are compliant.
In a recent survey, less than a month before the HIPAA HITECH Omnibus goes into effec,t a majority of business associates are unaware of the new requirements. Covered entities need to ask some questions, find out who is non-compliant. and ask them to remediate these risks. If they can't or won't they need to sever the business relationship.
Tick, tick, tick … time is running out for HIPAA Omnibus Rule compliance Davis Wright Tremaine LLP Rebecca L. Williams, Adam H. Greene and Amy L. Kauppila
Business associates should consider:
- Performing a risk analysis and risk management evaluation;
- Developing security policies and procedures consistent with the Security Rule;
- Updating breach notification policies;
- Establishing processes for verifying the business associate’s compliance with its BAA obligations; and
- Developing an approach for negotiating BAAs (for both covered entities and subcontractors) including updating BAA templates.
The deadline for compliance with the HIPAA Omnibus Rule is September 23, 2013. Are you ready? Greenberg Traurig LLP Eleanor (Miki) A. Kolton
"Obtaining a seal is a “place in time” controls assessment. Material changes to the environment would trigger another audit, as a 3rd party cannot attest to effective controls if an entity changes them. To compensate, material changes need to coincide with audit review cycles, which may not align with business objectives." The Compliance Meter displays the current level of HIPAA compliance in four key areas; policies, procedures, and forms up to date, and HIPAA compliance tasks up to date.