By Jack Anderson
December 7, 2012
Obamacare, The HITECH Act, ARRA, and Meaningful Use are the law of the land and will continue to be the law for at least 4 more years. HHS and OMB will soon publish the HIPAA HITECH rules, and enforcement will begin in 2013. According to HHS this will apply to 1.5 million BAs and over 1 million Subs.
The Notice of Proposed Rule Making (NPRM) published in July of 2010, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/nprmhitech.pdf which most experts believe will be very close to the final rule, gives BAs six months after a 30 day comments period to get compliant. This will seriously overload the privacy and security consulting industry which already has its hands full with the OCR audits, the Figliozzi audits, and helping CEs manage meaningful use.
CEs will become the enforcers as they realize that BAs constitute one of their highest risk areas for data breaches. In fact BAs have been responsible for 58% of the patient records breached. Until HHS starts enforcement of the HITECH Act the punishment for breaches applies only to the CE, but this will shift to shared responsibility for all groups accessing PHI.
So to paraphrase the famous line from SNL, “but what does this mean to me, Al Franken”, what does this mean to me as a BA or Sub? It means that in 2013 you will be getting a request from your CE for proof of compliance with HIPAA HITECH. This will be in the form of a questionnaire asking some of the following questions:
What type of PHI do you access?
What quantity of PHI do you access?
How do you access PHI?
How do you store PHI?
When did you do your last HIPAA Risk Assessment?
When did you sign your last BA agreement?
Who is your privacy and security officer?
When did you do your last staff training on HIPAA?
They might also ask you to send them a copy of your last risk assessment or other documentation such as documented policies and procedures.
But, you might be thinking, “How is my CE going to manage this process?” Well it turns out that they won’t be doing it themselves, they will have this service provided to them by privacy and security companies.
Let me give you an analogous situation. Hospitals and clinics became concerned about the vendor reps traipsing through their hallways, looking over people’s shoulders, asking lots of questions and of course selling their wares. Who were these people and what were their credentials?
A company stepped into the picture and offered a free service to track the vendor reps. While it was free to the hospital, and the basic service was free to the reps, the upgraded service was on an annual fee basis for the reps or their vendor companies. This business has now grown to over 3,000 facilities, 6500 vendor companies, and over 300,000 reps. HIPAA compliance for BAs and Subs is next.
So what should a smart BA or Sub do now? Get ahead of the pack. Hundreds of BAs have come to www.compliancehelper.com looking for solutions and we have been able to help some of them get compliant, stay compliant, and prove compliance with our Compliance Metertm. Most of them came because their CE asked them for proof of HIPAA compliance but some did it pro-actively to get a marketing advantage.
We can help you get compliant in 30 days or less with a cost effective and efficient process delivered with a SaaS method that also lets you have a personal privacy and security expert assigned to your account.
On January 8th and 10th we will be presenting free webinars with top privacy and security experts explaining this process. We will be sending a link for registration in the coming weeks