Record Requests610-994-7500

Virtual Academy recap: Six Tips for Business Associate Compliance


Businesspeople Sitting In A Conference Room Looking At Computer Screen

HIPAA compliance for Business Associates (BAs) was the topic of MRO’s AHIMA Virtual Privacy and Security Academy session this month. I presented alongside my colleagues Sara Goldstein, Esq., general counsel and Rita Bowen, MA, RHIA, CHPS, SSGB, vice president of privacy, HIM policy and education.

During this three-credit course, we discussed how BAs must now comply with the HIPAA Security Rule and certain provisions of both the HIPAA Privacy Rule and the HIPAA Breach Notification Rule. We emphasized that BAs can be held liable for violating these rules, as well as for violations by their subcontractors.

We also covered several best practices BAs can follow to stay HIPAA-compliant and avoid liability, which you can learn more about in Sara Goldstein’s recent post.

Although it’s difficult to summarize all of the valuable insight shared during our session, the six major tips offered by our experts included:

1. Check your insurance policy
Verify insurance coverage in the event of a HIPAA violation.

2. Conduct regular internal and third-party audits
Regular internal and third-party technical audits are the foundation of implementing Security Rule administrative, physical and technical safeguards.

3. Consider applying for Health Information Trust Alliance (HITRUST) certification
HITRUST provides an information security framework to harmonize standards and regulations.

4. Implement the right technologies
Utilizing technologies like encryption, access tracking software and record integrity applications, powered by optical character recognition (OCR) software, can also drive BA HIPAA compliance.

5. Document compliance programs
Business Associate Agreements (BAAs) can ensure HIPAA compliance, and hold subcontractors liable for potential violations.

6. Invest in training and education
Workforce members should undergo formal training at least once a year on privacy, security and compliance, as well as on federal and state disclosure laws, and the healthcare organization’s policies and procedures.

After covering these topics, the Virtual Academy session concluded with a fun, educational and impactful group activity where participants were assigned disclosure management case studies that explored how to identify HIPAA violations and breaches. Rita Bowen and I then tested the participants on their knowledge.

MRO’s team will delve more into the topic of BAs in the next session of AHIMA’s Virtual Privacy and Security Academy: “Advanced Business Associate and Subcontractor Management” on November 9, 2016. If you are interested in attending the session, please fill out the form below and you’ll receive MRO’s promo code for a 15 percent discount.

Receive a 15% Discount for AHIMA's Privacy and Security Academy

Read More

Five ways Business Associates can reduce breach risk and stay HIPAA-compliant


Business meeting with financial advisor

Business Associates (BAs) can be held liable for violations of certain provisions of the HIPAA Security, Privacy and Breach Notification Rules. Therefore, it is essential for BAs to ensure they have the appropriate measures in place, and are properly safeguarding the Protected Health Information (PHI) of Covered Entities (CEs).

As the trusted PHI disclosure management partner and BA of many of the nation’s leading healthcare provider organizations, MRO takes special measures to ensure compliance, and suggests fellow BAs add these tips to their checklists when reviewing their HIPAA compliance programs:

1. Review and update policies and procedures
One great way to verify that a BA has the required and up-to-date policies and procedures is to compare them to the HIPAA Administrative Simplification Rule’s table of contents, making sure the policies and procedures can be “cross-walked” to the applicable provisions of the HIPAA Rules.

2. Conduct a risk analysis on a regular basis
Conducting a thorough risk analysis provides the foundation for implementing many Security Rule safeguards. Additionally, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has cited organizations for failing to conduct proper and complete risk analyses in almost all its HIPAA violation resolution agreements. To help with this crucial process, HHS has published guidance that should be reviewed.

3. Confirm Business Associate Agreements
BAs can be held liable for certain violations of the HIPAA Regulations by their subcontractors—entities to whom the BA delegates a function, activity or service—if they do not have Business Associate Agreements (BAAs) in place. Therefore, it is critical that BAs have up-to-date BAAs with all subcontractors. For more information, HHS has published guidance on BAAs, containing a sample agreement.

4. Train your workforce
Workforce members should undergo formal training at least once a year to ensure they understand PHI use and disclosure requirements under federal and state law, and what policies and procedures the healthcare organization has implemented to ensure compliance.

5. Confirm insurance status
In the past year, organizations across the country have paid more than $16 million as part of resolution agreements and civil money penalties to the OCR for HIPAA violations. Given the cost of HIPAA violations, it is important that BAs confirm they have insurance coverage in the event of a HIPAA violation. This is especially important because many CEs require that their BAs indemnify them in the event of such an incident.

MRO will present on this topic on August 17, 2016 in AHIMA’s Virtual Privacy and Security Academy session “HIPAA Compliance for Business Associates,” worth three credits. Please enter your email address below to receive our special promo codes for 15 percent off registration.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Receive a 15% Discount for AHIMA's Privacy and Security Academy

Read More