Check Request Status610-994-7500

Insights from MRO’s Legal Expert: Best Practices for Incident Response Plans

Data breaches cost companies an average of $221 per compromised record. Heavily-regulated industries, like healthcare, tend to have per capita data breach costs substantially higher than the overall mean. In fact, according to an American National Standards Institute (ANSI) survey of institutions who experienced a reported breach, healthcare breaches can cost $8,000 to $300,000, in addition to any U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) penalty or settlement.

Healthcare data contains a wide range of identifying information, including social security numbers, birthdates and home addresses. This makes health information very valuable, necessitating effective breach prevention and incident response plans. Here are five best practices.

Create a Patient Data Protection Committee

Everyone involved in protecting Protected Health Information (PHI) at a healthcare organization must communicate with each other regularly. Creating a patient data protection committee will facilitate this communication. This committee should conduct some privacy functions for the organization, like overseeing patient privacy and security programs, performing quarterly risk analyses and assessments, and reviewing policies and procedures annually.

Provide On-Going Education and Training

Many breaches are caused by unintentional employee actions during the normal Release of Information (ROI) process. Unfamiliarity with proper policies and procedures for the use and disclosure of health information is frequently to blame. With this in mind, fostering a culture of compliance is key to stopping these breaches.

As part of this culture of compliance, workforce members should undergo formal training at least once a year.

Encrypt

Utilizing technology to strengthen compliance is a must. Electronic PHI (ePHI) should always be encrypted before distribution, fortifying the data against breach.

Test the Effectiveness of Compliance Program

Keep your compliance program current by performing regular effectiveness tests. Mock breach exercises and the use of fake phishing emails are great ways to keep employees up to date on compliance.

Assess BA Compliance

It is important that Business Associates (BAs) are compliant. Conducting regular due diligence and periodic vendor audits will ensure BA compliance. Make sure Business Associate Agreements (BAAs) are in place.

This blog’s author, Sara Goldstein, Esq., will give presentations on the topic of breach management and incident response at upcoming NCHIMA, MDHIMA, and FHIMA annual meetings.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed attorney in your state.

Sign Up for Future Blog Posts

Read More

Field Report: HCCA Compliance Institute and HIPAA Summit

I recently attended the Health Care Compliance Association’s (HCCA) Compliance Institute and the annual HIPAA Summit, both in the Washington, D.C. area, where representatives from the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) delivered remarks on what to expect from their office in 2017. I reported on my experiences at these events in an article for RACmonitor; here are some highlights.

New Director of the OCR

Attendees at the HIPAA Summit had the great honor of hearing the first public remarks from the newly appointed Director of the OCR, Roger Severino, in his new capacity. Prior to his appointment, Severino had a long and distinguished public service career.

In his remarks at the Summit, Severino emphasized the important role of health information privacy and security to the overall functioning of the healthcare system. This focus will lead to increased patient confidence in the system, which, according to the new director, is paramount for the system to function.

OCR Priorities for 2017

Following Severino’s remarks, OCR Deputy Director Deven McGraw shared the OCR’s outlook for 2017. McGraw and her team plan to work with Severino over the coming weeks to identify priorities for policy and guidance.

Update on HIPAA Audit Program

Speaking on Phase 2 of the HIPAA Audit Program, McGraw reiterated that the audits are a tool for learning, not a tool for enforcement, and should eventually yield best practices. She stated that the OCR hopes to develop a continuous compliance monitoring program moving forward, as opposed to the sort of periodic audits enacted currently.

OCR Enforcement

Iliana Peters, Attorney and Senior Advisor at the OCR, spoke on OCR enforcement at both the Compliance Institute and the HIPAA Summit. She highlighted lessons learned from 2016 resolution agreements and civil money penalties, including the need for regular and thorough risk analyses, encryption, access and audit controls, and timely breach notification.

For more information on the OCR, join MRO for the first installment of our free privacy and security webinar series, “Lessons Learned from OCR Enforcement Actions,” Monday, April 17, 1pm Eastern.

Sign Up for Future Blog Posts

Read More

Insights from MRO’s Legal Expert: Release of Information – Risky Business

While cyberattacks and device theft make good news stories, it’s far more likely for Protected Health Information (PHI) breaches to occur during routine Release of Information (ROI) requests. These improper disclosures are just as damaging to healthcare organizations as larger breaches. With this in mind, safeguarding health organizations against breach should be a top priority.

Factors driving breach risk

As PHI disclosure points and ROI requests increase, the likelihood of breaches occurring during the ROI process will also increase. Differing electronic medical record (EMR) systems and a lack of standardized policies and procedures contribute to the rise in breach risk associated with the recent surge in healthcare mergers and acquisitions. Another factor is the growing volume of requests in a changing market.

An emphasis on value and quality care means more commercial and government payer audits. Additionally, more and more patients wish to be directly involved in healthcare decisions and thus want greater access to their records. This larger number of requests, along with the faster and more frequent exchange of PHI, will logically lead to increased risk.

Unintentional employee actions cause breach

MRO research shows 20-30 percent of ROI authorizations are initially invalid, and without a second review, up to 10 percent of these invalid authorizations are processed. Additionally, five percent of data in EMRs have data integrity issues, such as comingled records, which can lead to improper disclosures. This is likely due to employee negligence. According to a May 2016 Ponemon Institute survey, 36 percent of PHI data breaches were caused by “unintentional employee action.”

The cost of PHI breach

Breaches are costly. Each breach costs between $8,000 and $300,000, according to the American National Standards Institute, not including HIPAA violation civil penalties, which can be as much as $50,000 per breach, and up to $1.5 million for recurrence. But the cost isn’t just monetary – breach also means loss of brand value.

According to Ponemon, 89 percent of surveyed healthcare organizations reported a PHI breach between May 2014 and May 2016, and 45 percent reported more than five in that same timeframe. As of January 2017, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has assessed approximately $58.51 million in settlement agreement fines or civil money penalties for data breaches.

ROI is a risky business. In today’s changing HIM landscape, the need for safeguarding health organizations against breach has grown exponentially. Standardizing policies and procedures by implementing an enterprise-wide strategy for PHI disclosure management, ensuring multiple layers of Quality Assurance are applied throughout the release process, and employing a well-trained and knowledgeable workforce are best practices for preventing small breaches that could potentially occur during the ROI process.

To learn more, fill out the form and read our eBook, Breach Risk in Release of Information: Don’t Leave Risk to Chance.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed attorney in your state.

Receive MRO's eBook: "Breach Risk in Release of Information: Don't Leave Risk to Chance"

Read More

Insights from MRO’s legal expert: Mitigating risk through HIPAA risk analysis

The Department of Health and Human Services’ Office for Civil Rights (OCR) recently announced that Illinois-based Presence Health agreed to settle potential HIPAA Breach Notification Rule violations by paying $475,000 and implementing a corrective action plan. This is the OCR’s first settlement based on the untimely reporting of a breach of Protected Health Information (PHI), and signals a new direction in HIPAA enforcement.

There are many ways healthcare organizations can ensure compliance to HIPAA Security, Privacy and Breach Notification Rules, and in this blog post, we will focus on consistently conducting HIPAA risk analyses.

Risk analysis is a process used to develop a firm understanding of the location of PHI and electronic PHI (ePHI) across an enterprise. Completing this process can also help identify potential points of disclosure and improve breach management.

Here are three key points about risk analysis:

1. Risk analysis must be a living document

Regularly conducting accurate and thorough assessments of potential risks and vulnerabilities is imperative. As stated, this assessment should identify the location of all PHI and list potential threats, including its vulnerability to impermissible use and disclosure. Additionally, the assessment should list corrective actions for such instances. The Office of the National Coordinator for Health Information Technology (ONC) website offers an interactive tool for conducting risk analysis, and helps determine if and when organizations need to take corrective action.

2. Conduct Business Associate risk analysis

Healthcare organizations need to assess risks for all Business Associates (BAs) that can share or access PHI. During this analysis, organizations need to ensure Business Associate Agreements (BAAs) are in place with all BAs, including partners in the Health Information Management (HIM) space, and other vendors less directly involved with health information, like food service operations or revenue cycle management partners. Inquiring about BAs’ risk analyses, risk management plans and breach notification plans should be a major focus of BA reviews.

3. Ensure breach notification compliance

Risk analyses should include a review of breach notification compliance. In general, incidents involving less than 500 patients need to be reported to the OCR within 60 days after the end of the year; incidents involving more than 500 patients need to be reported within 60 days of the incident.

If it is concluded that no unauthorized PHI was disclosed in a suspected breach, organizations must justify the findings of the breach risk assessment concluding the risk of compromise was low, and thus no breach occurred. Organizations will need to document a timeline from discovery to notification for any instances determined to be reportable breaches.

For additional risk mitigation best practices, fill out the form below and receive a copy of MRO’s white paper, Increasing Enforcement of Protected Health Information Breaches and Patient Access Requires Healthcare Organizations to Scrutinize Processes and Risk.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Receive a Copy of our White Paper: “Increasing Enforcement of Protected Health Information Breaches and Patient Access Requires Healthcare Organizations to Scrutinize Processes and Risk.”

Read More

Insights from MRO’s legal expert: Exploring patient access to Protected Health Information

President Obama’s Precision Medicine Initiative has encouraged millions of Americans to share their Protected Health Information (PHI) with the federal government. This push means providers should dedicate more time and resources to helping patients through the requesting process. With this in mind, my colleague Rita Bowen, MA, RHIA, CHPS, SSGB, Vice President of Privacy, Compliance and HIM Policy for MRO, and I co-authored an article for Compliance Today, reviewing the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) patient access FAQs and guidance.

In this post, I’ll review a few compliance concerns related to patient access.

Patient requests are different than third party requests

Requiring patients and their personal representatives to submit HIPAA-compliant authorizations in order to obtain access to their PHI is one of the most common compliance mistakes. Healthcare organizations may require patients to request in writing and on provider-supplied forms, but these requirements cannot create a barrier to or unreasonably delay patient access to health information.

Designated record set may not be clearly defined

Providers should utilize the designated record set (DRS) to collect information for patient requests. The DRS contains any information used to make decisions about an individual, including medical records, billing records, insurance information, clinical lab test results, medical imaging, wellness and disease management profiles, clinical case notes and other items. Ensuring patient access may become a compliance challenge when the DRS is not clearly defined.

Timeliness and format

One major focus of the patient access FAQs is the emphasis on timely fulfillment of patient requests for access to health information, usually within 30 days. If a request cannot meet the specified turnaround time, the provider must notify the patient, explaining the reason for the delay and when the patient can expect their records.

Additionally, providers should give patients their PHI in the form and format requested. The copies should be delivered to patients for a “reasonable, cost-based” fee.

For a more in depth look at patient access, read the full Compliance Today article.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Sign Up for Future Blog Posts

Read More

Reduce BA risk through due diligence and documentation

Business People Handshake Greeting Deal Concept

MRO wrote an article for the October issue of Journal of AHIMA, exploring why it’s important for healthcare organizations to ensure the HIPAA-compliance of the entities they partner with to help carry out healthcare activities, and what they can do to guarantee that compliance. Entities that create, maintain or transmit Protected Health Information (PHI) on behalf of a provider organization are considered Business Associates (BAs) under HIPAA, and, as of 2013, can be held liable for violations of the HIPAA Security and Breach Notification Rules and certain provisions of the HIPAA Privacy Rule.

These BAs include PHI disclosure management partners like MRO, as well as providers of services less obviously tied to privacy and security compliance, like food services companies. Regardless of a BAs business, provider organizations need to conduct due diligence and execute Business Associate Agreements (BAAs), ensuring BAs have HIPAA-compliant policies and safeguards in place.

BAs have come under increased scrutiny from the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) in recent years. This attention stems in part from the large amount of electronic PHI (ePHI) that BAs hold, putting providers and their patients at risk.

Conduct due diligence

While it is very important to conduct due diligence of BAs before beginning a partnership, it should also be part of the provider’s ongoing risk analysis. Providers should create a questionnaire for BAs containing questions about how the BAs protect PHI. If red flags are identified, a more in-depth review or assessment should be conducted.

In addition to these due diligence questionnaires, provider organizations should obtain “satisfactory assurances” from BAs in writing. These “satisfactory assurances,” which state BAs will appropriately safeguard the PHI they receive or create on behalf of the provider organization, are required under the HIPAA Privacy Rule.

Encourage transparency

Additionally, to ensure protection for both the provider organization and the BA, both parties should encourage information and process transparency from the start, beginning with thorough due diligence, which will establish an open relationship and forge a trusting long-term partnership.

To learn more about managing BA risk, join us for AHIMA’s Virtual Privacy and Security Academy. The next session, hosted by MRO, will cover BA and subcontractor management, and will be held on December 14, 2016. Please enter your email address below to receive our special promo code for 15 percent off registration.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Receive a 15% Discount for AHIMA's Privacy and Security Academy

Read More

Four steps to minimize breach risk and liabilities for medical practices

Five people are sitting in the waiting room of a doctor's office. Some of the people look tense or upset, and others look completely relaxed.

As advancements are made in health information technology, allowing for easier access to Protected Health Information (PHI), the risks inevitably grow. This year alone, more than 220 PHI breaches affecting 500 patients or more have been reported. While large breaches caused by cyber attacks are often the center of media discussion, smaller breaches caused by incidents like the improper disclosure of PHI are much more common.

Smaller breaches are gaining more attention from the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR). Earlier this year, the OCR announced the initiation of a new program to more thoroughly investigate breaches impacting 500 individuals or less. These breaches, just like larger ones, are costly, not only in dollars, but in reputational damage as well. Medical practice leaders should to be ready.

Here are four steps medical practices can take to minimize breach when disclosing PHI:

1) Institute multiple levels of Quality Assurance
Instituting multiple levels of Quality Assurance (QA) is a must for breach prevention. An estimated 20 to 30 percent of Release of Information (ROI) authorizations are initially invalid, and 5 percent of EMRs have record integrity issues, such as comingled patient records. Without multiple check points to validate HIPAA compliance and record integrity, medical practices are highly susceptible to human error, which can lead to improper disclosure of health information. The best workflows for releasing medical documentation include having a second set of eyes on every authorization and on the health information being disclosed to lower the likelihood of improper disclosures.

2) Leverage technology to catch human error
Human intervention can only prevent a certain level of error; however, dedicated technologies are available to catch human error and improve accuracy. Innovations like MRO’s IdentiScan® record integrity application, which uses optical character recognition (OCR) technology to assist record integrity specialists in reading every page of requests before release, work to catch human error and minimize the chance of disclosing records of wrong patients. IdentiScan pushes disclosure accuracy to an industry-leading 99.99 percent, well above the 90 percent average.

3) Implement proper training and education
To ensure accuracy and compliance while disclosing PHI, medical practice staff should be highly trained and specialized in HIPAA and state compliance. Since PHI disclosure management is not the core function of medical practice staff tasked with releasing medical records, this can become a tricky area. That’s where a vendor with a high level of expertise comes in.

4) Partner with a dedicated PHI disclosure management firm
Partnering with a knowledgeable and advanced PHI disclosure management firm will help prevent breach. By outsourcing PHI disclosure management processes, medical practices can better standardize their systems for disclosure and allow practice staff to focus time and energy on other priorities, such as patient care. With the right partner in place – such as MRO – practices can achieve industry-leading turnaround times and the highest levels of accuracy, ensuring compliance every step of the way.

To learn more, fill out the form below to download our case study detailing how Lehigh Valley Physician Group partnered with MRO to improve accuracy and minimize breach risk.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Download Lehigh Valley Physician Group Case Study

Read More

Updates from the OCR: Phase 2 of the HIPAA Audit Program

Auditor sends file audited financial statements of the Company to executives.

At the recent National HIPAA Summit in Washington, D.C., Jocelyn Samuels, Director of the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), and Deputy Director Deven McGraw, gave an update on the OCR’s compliance enforcement efforts, including the status of the HIPAA Audit Program, which launched Phase 2 in March 2016.

 

The OCR stated that they plan to complete 200-250 audits of Covered Entities (CEs) and Business Associates (BAs) over the course of three stages during Phase 2 of the HIPAA Audit Program. Currently, the OCR is in the process of evaluating documentation it received from the 167 CEs selected in June 2016 to participate in the first stage of Phase 2. Preliminary draft audit reports will soon be sent to audited CEs for their feedback, before the drafting of final reports. The OCR anticipates completing the first stage of Phase 2 by the end of 2016.

Future Outlook: Second and Third Stages for Phase 2 HIPAA Audits

 

In the meantime, the OCR plans to launch the second stage of Phase 2 – BA desk audits – in October 2016. The OCR will select 40-50 BAs from lists provided by stage one CE auditees to participate in stage two. Those BAs selected for the second stage will be evaluated on CE breach notification and compliance with the HIPAA Security Rule. Prior to the launch of the second stage, selected BAs will be invited to participate in a webinar hosted by the OCR, allowing the BAs to ask questions. Like stage one, selected BAs will have ten days to respond to the OCR’s request for documentation and will be given an opportunity to review and provide feedback on a draft of the report before the final version is completed.

 

In the next few months, the OCR will initiate the third stage, which will consist of onsite audits of select CEs and BAs. The OCR does not yet have an exact number of audits for stage three, but anticipate conducting only a small number.

 

After completing Phase 2 of the HIPAA Audit Program, the OCR will issue a public report, which will aggregate and address “lessons learned,” including best practices for BAs and CEs to implement.

 

Even for organizations not selected for participation in Phase 2, the OCR strongly encourages all CEs and BAs to review and implement the audit protocols, as most organizations that have entered into resolution agreements and civil money penalties with the OCR have been cited for not having proper risk analyses and risk assessments in place.

All of the audit protocols are available on a user-friendly spreadsheet created by MRO to assist with your organization’s preparation. To download the reference tool, please fill out the form below.

 

MRO will hold an informal HIPAA Q&A during the upcoming AHIMA16 convention in Booth #1020. If you’re attending the conference, please stop by.

 

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

SIGN UP TO RECEIVE MRO'S USER-FRIENDLY AUDIT PROTOCOL SPREADSHEET

Read More

Five stellar tips for providing patient access while protecting privacy

Confidential documents

MRO recently hosted a webinar, “Skyrocket your HIPAA Compliance: 5 Stellar Tips for Providing Patient Access while Protecting Privacy,” exploring ways Covered Entities (CEs) can provide patients and their personal representatives easy access to Protected Health Information (PHI), while staying compliant with HIPAA and protecting their data from breach.

As the title promised, we offered the following five tips:

1. Do not create patient access barriers

The HIPAA Privacy Rule requires CEs to provide patients and their personal representatives – persons with authority under state or applicable law to make healthcare decisions for a patient – easy access to their PHI for a “reasonable, cost-based” fee within 30 days of request. CEs can require the requests be made in writing and using their own supplied forms, but cannot create barriers or unreasonably delay patients from obtaining PHI.

2. Implement the HIPAA Security Rule’s safeguards

This includes:
a. Administrative Safeguards: Administrative actions to manage security measures to protect electronic PHI (ePHI).
b. Physical Safeguards: Physical measures to protect electronic information systems and related buildings and equipment from natural and environmental hazards, and from unauthorized intrusions.
c. Technical Safeguards: Technology used to protect and control access to ePHI.

3. Standardize and centralize

Standardizing PHI procedures and centralizing Release of Information (ROI) processes reduces the risk of HIPAA violations and decreases the number of PHI disclosure points, lessening the chance of improper disclosure and breach.

4. Educate and train workforce members

Often times, compliance issues are caused by unintentional actions taken by workforce members who are not familiar with the proper policies and procedures for the use and disclosure of health information. With this in mind, it is important to create a culture of compliance. Workforce members should undergo formal training at least once a year to ensure compliance with applicable federal and state laws, and the effectiveness of this training should be tested through measures such as phishing exercises and desk audits.

5. Monitor Business Associate compliance with HIPAA

CEs are required to enter into Business Associate Agreements (BAAs) with their Business Associates (BAs), as BAs are now liable for violations of the HIPAA Security Rule, Privacy Rule and Breach Notification Rule.

The webinar also included an update on HIPAA Compliance Enforcement, including information on Phase 2 of the Office for Civil Rights (OCR) HIPAA audits, which began in March 2016.

To receive a recording of the webinar, please fill out the form below.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Receive a Recording of our Webinar

Read More

Five ways Business Associates can reduce breach risk and stay HIPAA-compliant

 

Business meeting with financial advisor

Business Associates (BAs) can be held liable for violations of certain provisions of the HIPAA Security, Privacy and Breach Notification Rules. Therefore, it is essential for BAs to ensure they have the appropriate measures in place, and are properly safeguarding the Protected Health Information (PHI) of Covered Entities (CEs).

As the trusted PHI disclosure management partner and BA of many of the nation’s leading healthcare provider organizations, MRO takes special measures to ensure compliance, and suggests fellow BAs add these tips to their checklists when reviewing their HIPAA compliance programs:

1. Review and update policies and procedures
One great way to verify that a BA has the required and up-to-date policies and procedures is to compare them to the HIPAA Administrative Simplification Rule’s table of contents, making sure the policies and procedures can be “cross-walked” to the applicable provisions of the HIPAA Rules.

2. Conduct a risk analysis on a regular basis
Conducting a thorough risk analysis provides the foundation for implementing many Security Rule safeguards. Additionally, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has cited organizations for failing to conduct proper and complete risk analyses in almost all its HIPAA violation resolution agreements. To help with this crucial process, HHS has published guidance that should be reviewed.

3. Confirm Business Associate Agreements
BAs can be held liable for certain violations of the HIPAA Regulations by their subcontractors—entities to whom the BA delegates a function, activity or service—if they do not have Business Associate Agreements (BAAs) in place. Therefore, it is critical that BAs have up-to-date BAAs with all subcontractors. For more information, HHS has published guidance on BAAs, containing a sample agreement.

4. Train your workforce
Workforce members should undergo formal training at least once a year to ensure they understand PHI use and disclosure requirements under federal and state law, and what policies and procedures the healthcare organization has implemented to ensure compliance.

5. Confirm insurance status
In the past year, organizations across the country have paid more than $16 million as part of resolution agreements and civil money penalties to the OCR for HIPAA violations. Given the cost of HIPAA violations, it is important that BAs confirm they have insurance coverage in the event of a HIPAA violation. This is especially important because many CEs require that their BAs indemnify them in the event of such an incident.

MRO will present on this topic on August 17, 2016 in AHIMA’s Virtual Privacy and Security Academy session “HIPAA Compliance for Business Associates,” worth three credits. Please enter your email address below to receive our special promo codes for 15 percent off registration.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Receive a 15% Discount for AHIMA's Privacy and Security Academy

Read More