Business Associate HIPAA Compliance

In the article “Business Associate HIPAA compliance, the authror, Stacy N, Harper of Lathrop & Gage, LLP, does a very good job of laying out what a business associate must do to be compliant with the HIPAA HITECH Final Rule. It really means developing an on-going privacy and information security program that provides the maximim protection for the PHI accessed by the business associate. Here is her excellent checklist of what needs to be included in this program.

“Some of the more significant components of HIPAA Security compliance include:

Identification and segregation of protected health information within information technology systems;

Limitation of workforce access to protected health information to the amount necessary to perform job duties, including tracking and auditing of such access;

Implementation of policies and procedures, staff education, and corrective action process;

Performance of a security risk assessment and implementation of appropriate physical, technical, and administrative safeguards to appropriately manage identified risks;

Development of a system to manage data back-up, disaster recovery, and emergency mode operations;

Implementation of a system to monitor security of information systems containing electronic protected health information including review of audit logs and monitoring of staff compliance; and

Identification and security of all media and devices containing electronic protected health information, including use of appropriate encryption, tracking of    movement, and monitoring of use.

Covered Entities and Business Associates have until September 23, 2013 to implement the changes required to comply with these new requirements.”

Compliance Helper has programs for business associates ranging from single 1099 works up to large organizations. The Compliance Meter(tm) allows the business associate to demonstrate their on-going compliance to all of their covered entities.