HIPAA business associate agreements are an important aspect of the HITECH Act and the Omnibus Rule, and covered entities need to understand how their relationships with business associates have changed. When it comes to risk assessments, HIPAA Security Rule compliance, and employee training, both covered entities and business associates need to know how they are affected. Without a proper business associate agreement, a covered entity could have more difficulty in recovering after adata breach.
A HIMSS educational session focused on this wide topic last week, and discussed best practices for both covered entities and their business associates. Gerry Hinkley, a partner at Pillsbury Winthrop Shaw Pittman LLP and Deven McGraw, JD, MPH, LLM, partner at Manatt, Phelps & Phillips LLP led the discussion, titled Challenges Working with or Being a HIPAA Business Associate.
There are several challenges in BA management, according to the duo. For example, keeping track of BA relationships can be a challenge for large covered entities, as those facilities can often have numerous BAs in place. The origin of the relationship could also affect this, that some are managed by legal or compliance departments.
Citing data from a White Paper Funded by the California HealthCare Foundation, McGraw said that most CEs do not have processes in place to ensure that BAs destroy or return PHI when the relationship ends. Of those that do, the manager of the business relationship plays an important role in the process.
The discussion also touched on how the HITECH Act impacted CE and BA relationships. Vendors of cloud storage services are now more likely to consider themselves a BA, which is different than before the Act. Also, some CEs view BA direct accountability as a positive development, while others do not see it making a huge difference.
“Since HITECH we have placed more emphasis on ensuring that our Business Associates understand their obligations with respect to their subcontractors,” an organization interviewed for the white paper said. “We also probe more closely into with whom our Business Associates share our PHI.”
In the question and answer portion at the end of the presentation, one audience question centered on self-insured organizations, and how that related to HIPAA requirements. Essentially, as a covered entity, do they carry out risk assessments and what is the reasonable period to do that?
According to Hinkley, it is easier to do risk assessments when they have been broken down into smaller sections. Risk assessments shouldn’t be started from scratch every three years, for example, he said. Employees aren’t waiting around for three years waiting to do one. Instead, small parts of the risk assessments can be added to employees’ job descriptions, and then done each month for the three-year period.
“Take the components of your risk assessment and you divide it by 36,” Hinkley said. “And you do 1/36 of it every month. When you’re done, you start again. That allows ongoing remediation and gives you an ongoing function where people can say, “Oh that’s my job,” instead of, “Oh God, a risk assessment is coming up.”
Another submitted question asked why or why not penalties are enforced at large, for-profit organizations. This is especially important in the wake of large-scale breaches at Anthem, Inc. and Premera Blue Cross.
McGraw explained that regulators are going to come in and “look under the hood” in the context of anyhealth data breach. It’s important to remember that the investigation might not always center around just the issue related to the breach itself.
“That’s what’s going to bring them in your door, and then they’re basically going to assess your compliance across the board,” McGraw said. “I think you’ll see with any of the monetary settlements that have occurred in the enforcement space since HITECH was enacted, is that usually an incident or a complaint that brings the regulators in the door, they do not limit their look to just at that particular incident.”
At the federal level, the regulators will try and assess whether a covered entity was out of compliance with the law that caused the data breach or whether the facility was in compliance and an incident occurred anyway, she said.
“And there’s a distinction between that, because you can’t reduce that risk to zero,” McGraw said. “But if you’re out of compliance significantly with security rule requirements under HIPAA, then regulators are potentially going to use that to fine you. But, they’ll make a fining decision based on what they found, not just the fact that you had a breach.”
To that point, Hinkley added that it’s also helpful for covered entities to be upfront about what happened. Covered entities must do the right thing in particular with remediation, he said.
“The government likes that,” Hinkley said. “If there’s a data breach in an environment that is reasonably compliant, and you were really sorry and you dealt with it, I think that’s a significant impact on reducing fines.”
Read More Source: http://ift.tt/1Ezw4C0
from health IT caucus http://ift.tt/1Hx6ii9
via IFTTT
No comments:
Post a Comment