By Jack Anderson
May 7, 2013
This article emphasizes that there are numerous things a business in the healthcare sector must do, now, to meet the requirements of HIPAA HITECH.
“To do so, Covered Entities and Business Associates, including Subcontractors, must:
- Review their current privacy and security compliance program;
- Enter into, or amend, as appropriate, Business Associate Agreements to reflect the Final Regulations;
- Educate Business Associates (including Subcontractors), as necessary, about their responsibility (and the responsibility of their Subcontractors) to safeguard PHI so as to mitigate chances of agents causing upstream liability;
- Conduct a HIPAA security risk analysis and prepare/update a risk management plan. As part of this process, consider implementing encryption and destruction technologies in order to minimize the risk that PHI will be considered Unsecured PHI and, thus, able to be “breached;”
- Create processes to discover breaches of Unsecured PHI.
- Prepare/update a policy about how to handle breaches of Unsecured PHI;
- Draft/update the other HIPAA security and privacy policies;
- Update forms to reflect changes to individual rights;
- Conduct HIPAA training on the updated policies; and
- Update and distribute a Notice of Privacy Practices, as applicable.
We would add that the Covered Entities (CE) need to set up an active program for managing their Business Associates (BA) in order to get “satisfactory assurances” that they are compliant, now. Many BAs are under the mistaken impression that they have until September of 2013 to get compliant, but if they have signed a BA agreement they must be compliant with the terms of that agreement, now.