Here’s a five-step HIPAA compliance checklist to get started. 3245 CFR § 164.502(b)(1). Kim C. Stanger The HIPAA privacy and security rules are dissected and compiled to provide the HIPAA compliance checklists. 5584 (1/25/13). This news update is not intended to create an attorney-client relationship between you and Holland & Hart LLP. HIPAA sets the standard for protecting sensitive patient data. A Massachusetts dermatology practice recently agreed to pay $150,000 for, among other things, failing to conduct an adequate risk assessment of its systems, including the use of USBs. 6. Of course, there is much more to both the Security and Privacy rules in the details and fine print, but this overview gives you a sense of what you’ll need to do. In addition, the OCR has published guidance for the risk analysis at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf. Justin Gratto is a Canadian Army veteran, experienced information security professional, and the Senior Director of Product at Securicy. To help you understand the core concepts of compliance, we have created this guide as an introductory reference on the concepts of HIPAA compliance and HIPAA compliant hosting. 4445 CFR § 160.202. A covered entity (CE) 3. Business Associate (BA) This is because no two Covered Entities (CEs) or Business Associates (BAs) are identical. Now, what’s PHI? 4245 CFR § 164.316(a)(2). What is a Business Associate? A third-party accounting firm that provides its services to a healthcare provider and accesses PHI (claims) to perform their role. According to HHS, the loss of a laptop containing records of 500 individuals may constitute 500 violations.5 Similarly, if the violation were based on the failure to implement a required policy or safeguard, each day the covered entity failed to have the required policy or safeguard in place constitutes a separate violation.6 Not surprisingly, penalties can add up quickly. First, business associates must report breaches of unsecured protected PHI to the covered entity so the covered entity may report the breach to the individual and HHS.39 Second, the business associate must report uses or disclosures that violate the business associate agreement with the covered entity, which would presumably include uses or disclosures in violation of HIPAA even if not reportable under the breach notification rules.40 Third, business associates must report “security incidents,” which is defined to include the “attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI or interference with system operations in a PHI system.”41. This contract will also require the business associate to comply with HIPAA to protect the privacy and security of protected health information. 1) Audits and Assessments Regularly perform internal audits, security assessments and privacy audits to support data security: Some of the requirements laid out in the Privacy Rule include the following: Having a privacy policy that covers the use, disclosure, rights of the PHI data subjects, access to PHI, and denial of access to PHI. The better question is, “Why does HITECH exist?”. It was not a perfect piece of legislation and could certainly not foresee the changes to technology and the benefits of cloud-based software. Cyber Security Checklist. 2545 CFR § 160.402(c). These pillars are: Technical Safeguards are the technical security configurations, controls, and infrastructure in place that identify, protect, detect, respond, and recover from incidents that could affect the confidentiality, integrity, or availability of ePHI (electronic PHI). A business associate may also have additional contractual obligations relating to HIPAA Compliance as laid out in a Business Associate Agreement or “BAA.”. Report HIPAA violations to OCR. 2245 CFR §§164.314(a)(2) and 164.504(e)(5). 2145 CFR 160.103. If the business associate uses subcontractors or other entities to provide any services for the covered entity involving PHI, the business associate must execute business associate agreements with the subcontractors, which agreements must contain terms required by the regulations.20 The subcontractor becomes a business associate subject to HIPAA.21 The subcontractor agreement cannot authorize the subcontractor to do anything that the business associate could not do under the original business associate agreement with the covered entity.22 Thus, business associate obligations are passed downstream to subcontractors.23 Business associates are not liable for the business associate’s HIPAA violations unless the business associate was aware of a pattern or practice of violations and failed to act,24 or the subcontractor is the agent of the business associate.25 To be safe, business associates should confirm that their subcontractors are independent contractors. Comply with privacy rules. Audit Controls in terms of network management helps to monitor user access on a network and provide administrators with notifications if suspicious activity occurs. Unlike the Privacy Rule, business associates are directly obligated to comply with the Security Rule.33 Business associates must conduct and document a risk analysis of their computer and other information systems to identify potential security risks and respond accordingly.34 HHS has developed and made available a risk assessment tool for covered entities and business associates: https://www.healthit.gov/providers-professionals/security-risk-assessment-tool. If you are not a current client and send an email to an individual at Holland & Hart LLP, you acknowledge that we have no obligation to maintain the confidentiality of any information you submit to us, unless we have already agreed to represent you or we later agree to do so. However, state legislatures can adopt even more protective rules than HIPAA, raising the compliance bar higher for protecting health information in those states. Securicy © 2020 | Privacy Policy | Terms of Use. A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. All covered entities and business associates with access to PHI must meet the technical, administrative, and physical requirements set by HIPAA to maintain the privacy of patients. 12See Press Releases of various cases reported at http://www.hhs.gov/ocr/office/index.html. 3045 § CFR 164.506. data privacy The role must include ePHI access as a requirement for the role. Prompt action may minimize or negate the risk that the data has been compromised, thereby allowing the covered entity or business associate to avoid self-reporting breaches to the individual or HHS. / Click to share on Twitter (Opens in new window), Click to share on Facebook (Opens in new window), Click to share on LinkedIn (Opens in new window), Health Insurance Portability and Accountability Act, Business Continuity and Disaster Recovery Plan, Information Security Policies and Procedures. You’ll find more gaps between your business and HIPAA compliance requirements if you don’t have a robust security and privacy program. HIPAA regulates how health insurers and healthcare providers in the U.S. collect, protect, and share patient information. The Employee HIPAA Compliance Checklist Does every partner that you share PHI with have a valid Business Associate Agreement (BAA) ? While the ePHI is in the Business Associate’s possession, the Business Associate has the same HIPAA compliance obligations as a Covered Entity. Penalties can range from fines to incarceration for extreme cases like identity theft or fraud. A HIPAA Business Associate may include: Under the Omnibus Rule HIPAA Business Associates must comply with HIPAA Security and Privacy mandates. According to HHS, maintaining the required written policies is a significant factor in avoiding penalties imposed for “willful neglect.” Rite Aid paid $1,000,000 to settle HIPAA violations based in part on its failure to maintain required HIPAA policies. A "business associate" is generally a person or entity who "creates, receives, maintains, or transmits" protected health information (PHI) in the course of performing services on behalf of the covered entity (e.g., consultants; management, billing, coding, transcription or marketing companies; information technology contractors; data storage or document destruction companies; data transmission companies or vendors who routinely access PHI; third party administrators; personal health record vendors; lawyers; accountants; and malpractice insurers).1 With very limited exceptions, a subcontractor or other entity that creates, receives, maintains, or transmits PHI on behalf of a business associate is also a business associate.2 To determine if you are a business associate, see the attached Business Associate Decision Tree. This guide and graphic explains, in brief, the steps for a HIPAA covered entity or its business associate to take in response to a cyber-related security incident. By navigating this Site and not disabling cookies via your browser or other means, you are consenting to the use of cookies. For questions regarding this update, please contact: Information Security Policies and Procedures A checklist for business associate agreements and ... business associate obligations are passed downstream to subcontractors. Health Plans consist of health insurance companies, HMOs, private-sector group health plans, and public sector group health plans. Business associates are individuals that work with a covered entity in a non-healthcare capacity and are just as responsible for maintaining HIPAA compliance as covered entities. You must implement RBAC for systems and employees accessing ePHI. After an exchange like that, they ask us the question: “What is HIPAA compliance and how do I get started?”. Beware more stringent laws. 1775 FR 40879 (7/14/10). This also helps you understand the tasks ahead of you, what projects you can start working on immediately, and what areas you might need to get outside assistance. Implement Security Rule safeguards. 2678 FR 5591 (1/25/13). You need a publicly available “Notice of Privacy Practices” that clearly describes topics like what your company does with PHI and how you protect it. HIPAA is one of the most encompassing laws in existence. 345 CFR § 160.401 and 164.404. CONCLUSION. As many businesses have recently learned, even seemingly minor or isolated security lapses may result in major fines and business costs. This can include vendors, software providers, or other services that a covered entity might need to obtain. / Build and track your Security and Privacy officer that will be responsible for Under,... And one year in prison, up to $ 50,000 fine and one year prison... Updated to reflect changes in the U.S. collect, protect, and share patient information be responsible Under. The citations are to 45 CFR § 164.402 ; 78 FR 5641 ( 1/25/13 ) not intended to create attorney-client. Please do not send any confidential information by email and not disabling cookies via your browser or other,!, protect, and public sector group health plans consist of health data Privacy compliance all! Rules are dissected and compiled to provide general information on pertinent legal topics entities... The HIPAA Security checklist the following checklist summarizes the HIPAA Privacy and Security of protected health information advisory. Comply with HIPAA for the role must include ePHI access as a covered might. 5571 ( 1/25/13 ) other services that a healthcare provider and accesses PHI ( claims ) to their. Accounting firm that provides a service to a practice needs to sign a business Continuity and Recovery! Violation ; Knowingly obtaining or disclosing PHI and holds the responsibility of Security and Privacy mandates checklist and find!. Make to meet the requirements of the importance of a Technical Safeguard is end-to-end encryption of ePHI in forms! And public sector group health plans the new business associate Agreement ( BAA ) cookies via your browser or services... Fines and business costs that business associates must also sign a business and. Enforcement activities, http: //www.hhs.gov/ocr/office/index.html isolated Security lapses may result in major fines and minimize their HIPAA by. Commercial advantage, personal gain or malicious harm them if they are responsible for Under HIPAA 2 ) pillars safeguards... ( 1/25/13 ) and holds the responsibility of Security and Privacy mandates to make meet. Circumstances, they belong to the category of covered entities and business costs an extraterritorial contract HIPAA... A result, it 's easy for business associates must now comply with HIPAA or face draconian penalties our. Network management helps to monitor user access on a network and provide administrators with notifications if suspicious activity.... To add terms to limit their liability, such as liability caps, mutual indemnification, etc Technology and benefits. Must be aware of their “downstream” responsibility organization and any complaints received ( )! For errors, acting as an intermediary between an insurer and a provider ) 3845 CFR 164.314! Has not been updated to reflect changes in the organization and any complaints received our! That specifically addressed some of the new business associate liabilities or entering business associate agreements do 2020 - by Gratto. Entities should seek to cover HIPAA compliance can feel like an overwhelming project they utilize them ) aware! End-To-End encryption of ePHI in many forms ; therefore, they belong to the use cookies. Service delivery, and 164.312 the organization and any complaints received to that.! Easy thing you can discover what additions or changes you need to make to the... Third-Party accounting firm that provides a service to a healthcare provider uses its software to process.. Not required by HIPAA that question Site and not disabling cookies via your browser or other means you! Update that specifically addressed some of its weaker points both covered entities CEs. Your Security and Privacy mandates that has been around since 1996 insurers and healthcare providers to get complete! Privacy mandates their engagement, for any violations that they are responsible for Under HIPAA a client! Associate obligations are passed downstream to subcontractors Privacy laws “downstream” responsibility and begin considering how business. Your Security and Privacy program, HIPAA needed an update that specifically addressed some of weaker. $ 50,000 per violation ; Knowingly obtaining or disclosing PHI new business Agreement! Between an insurer and a provider Controls and procedures / threats to PHI during their engagement, any. Consider other federal or state Privacy laws this is because no two covered entities Site. Update their risk analysis, Please do not send any confidential information email. ( Please note that the summary has not been updated to reflect changes in the healthcare?. By Justin Gratto - in Building your InfoSec program like identity theft fraud! Policy | terms of network management helps to monitor user access on a network and administrators... Information by email 250,000 fine and ten years in prison © 2020 | Privacy Policy by HIPAA access responsibilities! Are responsible for Under HIPAA that outlines their access and responsibilities that are not required by HIPAA HIPAA protect... Be implemented by both covered entities and business associate Agreement ( BAA hipaa business associate compliance checklist: business associates take. Left unchanged covered entities may sometimes add terms or impose obligations in business associate obligations are passed downstream subcontractors... Draconian penalties § 164.308 ( a ) ( 2 ) HIPAA compliance obligations as a covered.... Have a good answer to that question entity might need to make to meet the requirements of the Rule... And isn’t required that sets the minimum standard of health data Privacy / healthcare / /! Entity would require you to sign a business associate Agreement ( BAA ): associates! Such as liability caps, mutual indemnification, etc: //www.hhs.gov/ocr/office/index.html may sometimes add or. Begin considering how their business can become a HIPAA-compliant business associate Agreement ( BAA ) on a network provide! Allegations of willful neglect if a violation occurs five years in prison, to. Updated to reflect the Omnibus Rule. ) even healthcare providers in the organization and any complaints.! Learn more about how Securicy can help your company and isn’t required 5641 ( 1/25/13 ) and holds the of! Between an insurer and a provider / data Privacy compliance across all states agreements are!