Check Request Status610-994-7500

Webinar Recap: Healthcare Regulatory Updates and Guidance

Healthcare Compliance

On Thursday, May 17, 2018 my colleague, Angela Rose, MHA, RHIA, CHPS, FAHIMA, Vice President of Implementation Services and I presented the second part of our four-part healthcare compliance webinar series. In this webinar titled “Healthcare Regulatory Updates and Guidance,” we covered some of the following key points:

Global Data Privacy Rule (GDPR)

The GDPR is current legislation that was proposed by the European Commission to strengthen and unify data protection for individuals in the European Union (EU). The goal of the regulation is to increase protection and enhance privacy rights on how data is collected and used regarding EU residents. This rule also applies to organizations outside the EU, such as the US, if it collects data.

Substance Abuse and Mental Health Services Administration (SAMHSA)

SAMHSA released an update in January 2017, which allows organizations to utilize an inclusive authorization whereby this sensitive information may be shared with an HIE or within an integrated delivery system which affords these patients with the same rights to high-quality care by allowing care givers to review necessary information. The update to the rule permits the disclosure or re-disclosure of this information as necessary to carry out lawful treatment, payment and operations. The required statement on this type of record now reads “Federal law 42 CFR Part 2 prohibits unauthorized disclosure of these records.”

Disclosures for Emergency Preparedness

Emergency preparedness and recovery planners are interested in the availability of information they need to serve people in the event of an emergency. The HIPAA Privacy Rule protects individually identifiable health information from unauthorized or impermissible uses and disclosures. The Rule is carefully designed to protect the privacy of health information, while allowing important health care communications to occur.

Cybersecurity and Ransomware

Ransomware has forced health IT to get more aggressive towards increasing their security safeguards and protections against attacks through infected mails and websites. Attendees were reminded that the best ways to prepare and combat these attacks include:

  • Risk analyses and gap analyses
  • Ongoing end-user training
  • Appropriate and up to date patching
  • Utilization of advanced security protection tool

To learn more about this topic, sign up for our next webinar “Cybersecurity: Protecting your Healthcare Enterprise” on Wednesday, August 15, 2018 at 2pm Eastern.

Texting in Healthcare

Texting in healthcare can be a risk if not done so by meeting the technical safeguards of the HIPAA Security Rule. These safeguards include:

  • Access to PHI must be limited to authorized users who require the information to do their jobs
  • A system must be implemented to monitor the activity of authorized users when accessing PHI
  • Those with authorization to access PHI must authenticate their identities with a unique, centrally-issued username and PIN
  • Policies and procedures must be introduced to prevent the PHI from being inappropriately altered or destroyed
  • Data transmitted beyond an organization’s internal firewall should be encrypted to make it unusable if it is intercepted in transit

Future Outlook

Attendees also received insight on the changes and updates we may expect to see forthcoming in 2018. Some of these included:

  • Restitution back to victims who were harmed by a violation of HIPAA
  • Consideration to remove NPP signature forms
  • Good faith disclosures (related to Opioid crisis)
  • Potential changes in the requirement related to accounting of disclosures

Healthcare regulatory updates and government guidance are continuously evolving and can be difficult to interpret and understand. The implementation and management of those changing guidelines is vital for meeting compliance in any organization. For more information on these topics, fill out the form below to receive a copy of this webinar.

Receive a copy of the part 2 webinar recording and a PDF of the slides

Read More

Privacy Dashboards: A Powerful Tool for Compliant PHI Disclosure Management

Managing the release of Protected Health Information (PHI) is more complex than ever, due to evolving federal regulations, patient access rights, and pressure to manage and exchange health information electronically. With multiple departments releasing PHI, there are concerns and risks across the entire enterprise. For individuals whose primary tasks do not include PHI disclosure, privacy regulations are not foremost in their thoughts. Without ongoing education and process change, the potential for breach risk escalates. To mitigate risk, it is recommended that organizations centralize their Release of Information (ROI) and use privacy dashboards and data analytics technology.

Centralize Release of Information to Improve Privacy Compliance

Healthcare organizations should assign PHI disclosure and ROI tasks to a focused group of professionals who understand the regulations, receive ongoing education on changes, and realize the complexities of the process. This way, one department will have total control and responsibility of maintaining appropriate records of what information has been released, knowing where it’s going, and when to escalate notification issues. Managing information through one department will improve compliance and patient care.

Use Privacy Dashboards to Track Patterns and Trends

Every privacy incident yields valuable data to improve compliance. Privacy dashboards can be used as a powerful tool to show patterns and trends for smaller incidents — now being tracked by OCR — and for large events as well. Regardless of size, an organization’s ability to consistently identify and track trends is essential. You can find a list of all the features an effective compliance tool should provide in “Privacy dashboards: Tracking and reporting for compliant PHI disclosure management,” which appears in the May 2018 issue of HCCA’s Compliance Today.

The most important factors in compliance program management are constant awareness, communication, tracking and reporting through easy access to reliable and actionable data. Privacy dashboards help organizations determine root causes of incidents, so they can take the necessary actions to improve compliance.

Examples of corrective action include:

    • Revising compliance policies and procedures
    • Providing additional staff training on hospital policy and HIPAA regulations
    • Assessing and improving PHI disclosure management processes
    • Ensuring encryption of all devices used by staff

    As the volume of PHI requests continues to increase over time, so does the risk of breach. Using privacy analytics to identify compliance patterns and trends, improve operational processes, and resolve breach issues is increasingly important. Actionable compliance data has become a critical tool for healthcare organizations along the journey to value-based care.

    Learn more about privacy analytics by attending AHIMA’s Live Data Dive Webinar “Privacy Dashboards: What You Should be Tracking & Reporting” on May 9th at 9:30am Eastern. If you cannot make the live session, sign up for the playback webinar recording here.

Sign Up for Future Blog Posts

Read More

How to Ensure Proper PHI Disclosure across your Healthcare Enterprise

PHI Disclosure

When it comes to Protected Health Information (PHI), one of the main duties of Health Information Management (HIM) departments is to protect their patients’ privacy and ensure proper disclosure. HIM departments have had a long-held reputation of being the top disclosers of PHI within a healthcare enterprise. However, recent trends in PHI disclosure management are changing things around. Combined requests from other areas such as radiology, business offices, and physician practices are matching, if not exceeding, the PHI disclosure volumes in HIM. This combination of departments managing PHI disclosure causes high volumes of records and increases risk. Below are a few best practices, as outlined in a Journal of AHIMA article, for how HIM professionals can ensure proper disclosure and mitigate breach.

Know the Risky Spots: Audit your Points of PHI Disclosure

A practical first step is to conduct an enterprise-wide audit of all disclosure points. An audit of all PHI disclosure points should be conducted and updated yearly as part of your organization’s privacy compliance assessment. Auditing your enterprise helps HIM leaders become aware of the risks, which they can then work to mitigate. HIM professionals should audit non-HIM PHI disclosure areas to ensure compliance with relevant laws. During the audit, HIM leaders should review a list of items for disclosures which includes date received, date delivered and more.

Train and Educate Based on Needs

Training is essential for safe and compliant enterprise-wide Release of Information. This goes for the HIM department as well as any other employees that release PHI. Well-trained ROI staff keep the flow of information running smoothly. Based on the individual department’s most common requests, ROI training should be focused on accuracy, include all HIPAA privacy basics, and include the following six PHI disclosure management fundamentals:

  1. Track and monitor each type of request being received.
  2. Define each type of request.
  3. Emphasize accuracy.
  4. Reiterate minimum necessary.
  5. Coach personnel on patient requests.
  6. Direct requests to HIM.

Establish HIM as the Enterprise-wide PHI Gatekeepers

Annual HIM reviews and continuous communication with other departments that release information are essential to mitigate breach risk, expedite payer reimbursement, and prevent a requester dissatisfaction crisis. Non-HIM staff are focused on their core competency areas and are rarely trained in proper PHI disclosure management. The result is often hasty PHI processing and increased risk of breach. To mitigate risk while also ensuring the appropriate ROI, HIM departments should maintain oversight of PHI disclosure management across the entire enterprise—not just within HIM.

Complete the form below to download MRO’s eBook “Breach Risk in Release of Information: Don’t Leave Risk to Chance” and learn strategic, enterprise-wide approaches to PHI disclosure management and mitigating breach risk.

DOWNLOAD MRO’S EBOOK “BREACH RISK IN RELEASE OF INFORMATION: DON’T LEAVE RISK TO CHANCE.”

Read More

Four Healthcare Compliance Webinars to Attend in 2018: Covering Privacy, Security and Information Governance

As we move into 2018, healthcare professionals should be up to date on the latest Privacy, Security and Information Governance trends. It is important to be aware of what’s on the horizon and how to prepare your organization for the future.

In MRO’s upcoming 2018 healthcare compliance webinar series, MRO’s Angela Rose, MHA, RHIA, CHPS, FAHIMA, Director of Client Relations and Account Management, and I will co-present on the latest industry trends and discuss best practices for organizations to consider. There are four parts to this webinar series, and we are in process of having each session pre-approved by AHIMA for one (1) CEU in the privacy and security domain.

Below are the four session topics, which Angela and I will go into more detail on in our webinar series. To register, click here.

Webinar Watch List: Privacy, Security and Information Governance

1) Compliance with the Global Data Privacy Rule (GDPR) and Privacy Shield
The Global Data Privacy Rule (GDPR) is compelling every organization to consider how it will respond to today’s security and compliance challenges. This may require significant changes to how your business gathers, uses and governs data if you serve individuals from the United Kingdom. Much of the discussion about the GDPR has focused on the law’s privacy-centric requirements, such as mandatory record keeping, the right to be forgotten, and data portability.

March 22, 2018 – 2pm Eastern – Register Here.

2) Healthcare Regulatory Updates and Guidance
Healthcare regulatory updates and government guidance are continuously evolving and can be hard to interpret and understand. The implementation and management of those changing guidelines is vital for meeting compliance in any organization. When we hold this webinar, the session will review the regulatory updates and guidance that must be implemented to achieve regulatory compliance.

May 17, 2018 – 2pm Eastern – Register Here.

3) Cybersecurity: Protecting your Healthcare Enterprise
Although cyber attackers constantly create new versions of malicious software and search for new vulnerabilities to exploit, healthcare organizations must continue to be vigilant in their efforts to combat cyber extortion. This webinar will share lessons learned and actions for consideration to remain diligent and ready for potential threats.

August 15, 2018 – 2pm Eastern – Register Here.

4) 2019 Healthcare Privacy and Security Compliance Predictions
This session will briefly summarize the prior sessions in MRO’s four-part webinar series on healthcare privacy and security compliance, including lessons learned in 2018— and then shift focus to 2019. We will do our best, utilizing our crystal ball, to predict focus areas for 2019.

November 7, 2018 – 2pm Eastern – Register Here.

Health Information Professionals Week

MRO will launch our healthcare compliance webinar series, which covers these topics, on March 22, 2018, during Health Information Professionals (HIP) Week. HIP Week will coincide with AHIMA’s Advocacy Summit and Hill Day, events where AHIMA members receive education specific to advocacy and visit Capitol Hill to share the importance of advancing HIM. Privacy, security and Information Governance continue to be key issues for HIM professionals. AHIMA has stated it will continue to provide guidance to the healthcare industry and government leaders seeking expertise and counsel, and MRO looks forward to continuing in our efforts to educate and support the HIM profession, as well.

Register today for our first webinar, on the topic of Compliance with the Global Data Privacy Rule (GDPR) and Privacy Shield.

Sign Up for Future Blog Posts

Read More

Breach Prevention: Developing Best Practices from OCR Audits and Enforcement Activities

AHIMA held its 11th Annual Privacy and Security Institute on October 7-8, 2017 in Los Angeles, concurrent with the national convention. As a sponsor of the event, MRO held a breach prevention session titled “Developing Best Practices from OCR Audits and Enforcement Activities.” During the presentation, Rita Bowen and I reviewed the current Office for Civil Rights (OCR) audit and enforcement landscape and provided best practice guidance based on audit and enforcement outcomes.

We discussed some of the biggest cases to date including nine resolution agreements totaling over $17M collected by the OCR. The top five compliance issues (in order of frequency) included (1) impermissible use and disclosures, (2) lack of safeguards, (3) lack of patient access to health information, (4) releasing the minimum necessary, and (5) lack of administrative safeguards to electronic Protected Health Information (PHI). Below are five best practices for breach prevention, as well as a video interview where I recap the presentation.

Video Recap: AHIMA Privacy and Security Institute

 

Five Best Practices for Breach Prevention

1) Create a patient data protection committee.
This committee should oversee the organization’s patient privacy compliance program and conduct quarterly risk analyses and assessments. Serving as the incident response team, each committee member should review policies and procedures annually. In addition to these responsibilities, a patient data protection committee should perform mock HIPAA audits using Phase 2 protocols from the OCR.

2) Provide ongoing education and training for workforce members.
Many breaches are caused by unintentional actions taken by workforce members who are not familiar with the proper policies and procedures for Protected Health Information disclosure management. To avoid this from happening, organizations should provide formal training at least once a year to ensure compliance with applicable federal and state law. Provide reminders of policies and procedures through emails, posters, and patient privacy awareness activities.

Some free helpful tools include:
OCR’s website
OCR’s YouTube channel
AHIMA’s Body of Knowledge

3) Implement HIPAA’s security rules for administrative, physical and technical safeguards.
Make sure your organization’s risk analysis is current and complete. This is the key to avoiding any potential threats and vulnerabilities. Utilize technologies that strengthen your compliance program and access monitoring software. For HHS guidance on technical safeguards, visit their website.

4) Test the effectiveness of your compliance program.
This can be done a few ways. Through internal, external and penetration audits. Through social engineering, which involves fake phishing emails, fake phone calls and checking desks for exposed passwords. And lastly, through mock breach exercises.

5) Assess your Business Associates’ compliance.
With proper due diligence and periodic vendor assessments, healthcare providers can safeguard their organizations against breach by way of their BAs. Additionally, Business Associate Agreements (BAAs) can ensure HIPAA compliance, and hold subcontractors liable for potential violations.

Complete the form below to download MRO’s eBook on breach prevention “Tips and Best Practices to Safeguard your Healthcare Organization.”

DOWNLOAD MRO’S eBook “Preventing a Breach: Tips and Best Practices to Safeguard your Healthcare Organization.”

Read More

AHIMA Convention Reflections: Business Associate Management and Best Practices for Risk Analysis

At the 2017 AHIMA National Convention and Exhibit, Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, and I co-presented a session titled “Essentials for Business Associate Management: Due Diligence and Ongoing Risk Analysis.” In this presentation, we discussed ways to manage risk associated with Business Associates (BAs) for Covered Entities (CEs).

Rita and I reviewed industry trends around the renewed focus on vendor relationships and compliance, and the Office for Civil Rights’ (OCR) increased scrutiny of BAs. We covered many key components of thorough due diligence when evaluating BAs, and the necessary ongoing risk analysis once partnered.

The audience learned best practices that they can incorporate into their risk assessment process, which will make Business Associate management more bearable. Below is a video interview where I recap the presentation.

Video Recap: Managing Risk Associated with Business Associates for Covered Entities

 

Video Transcript

Anthony: I am Anthony Murray, Vice President of Information Technology for MRO.

Question: Tell us a little bit more about your presentation and the topic of BA Management.

Anthony: Today, Rita Bowen and myself presented on managing risks associated with Business Associates for Covered Entities. I think primarily what we were trying to drive home was a consistent approach to assessing risk when doing business with Business Associates within the Covered Entity space. It is a broad and deep topic. We covered a lot of different ways and concepts, so hopefully they came away with some ideas that they can incorporate into their risk assessment process to hopefully make their dealing with BAAs (Business Associate Agreements) a little bit more bearable.

Question: What best practices did you discuss during your presentation?

Anthony: We talked a lot about access controls, understanding the governance that’s in place, and trying to read the maturity scales of the Business Associates. What it really boiled down to was hopefully distilling down and understanding the services that the vendor is providing and associating the appropriate risk level to them. Based on the risk level, you hope to identify how deep into the privacy and security controls that they have in place are important to you as a company.

Question: What is MRO doing to address this topic?

Anthony: MRO is doing a number of things to help address this topic. One, is we have ongoing certifications to help augment what our CEs are going to do to assess us from a risk perspective. So, we’re trying to achieve things like HITRUST and perform our SSAE 16 and SOC type 2 audits. In addition, we also employ a number of very transparent controls that we talk about from the very onset of our relationship with our clients. How we manage access controls, how we report incidences and privacy threats all the way down to even giving access to our end user ongoing training seminars.

Question: What are some of the biggest trends and themes you’ve noticed at this year’s convention?

Anthony: I actually think this was one of the bigger topics between cyber and general privacy concerns with some of the changes in legislation. What you’re seeing is a continued focus on the business associates and risk they present. We saw a lot of good traction that we’re getting the paper work done when it comes to managing your business associates, but continuing to develop and look at the threat profile of the BAs continues to be a hot topic here.

Question: What is your favorite part about AHIMA?

Anthony: My favorite part of AHIMA is being around people who are all sharing the same struggles, challenges and opportunities that I’m facing. As a Business Associate, I’m confronted with CEs and other other agencies like ourselves that provide services to these hospitals all dealing with the same problems and being able to come together as a community and discuss it is just so reassuring that we’re not left out on an island.

To download slides from MRO’s Business Associate Management presentation, complete the form below.

DOWNLOAD MRO’S BUSINESS ASSOCIATE MANAGEMENT PRESENTATION

Read More

Reflections from AHIMACon17: Merger Mania and its Impact on Privacy and Health Information Management Systems

Merger Mania

At the 2017 AHIMA National Convention and Exhibit, MRO’s client Melissa Landry of Ochsner Health System and I co-presented a session titled “Merger Mania: Impact to Privacy and Health Information Management.” In this presentation, we discussed industry trends around mergers of healthcare organizations and the impact on privacy, Health Information Management (HIM) systems and Protected Health Information (PHI) disclosure management.

Melissa Landry shared how Ochsner successfully responded to challenges resulting from healthcare mergers. Audience members learned strategies for addressing these types of challenges. Below is a video interview where I recap the presentation.

Video Recap: Merger Mania and its Impact on Privacy and Health Information Management Systems


Video Transcript

Rita: I’m Rita Bowen, and I am with MRO. And, I am their Vice President for Privacy, Compliance and HIM Policy.

Question: Tell us about the presentation you gave at the AHIMA Convention about “Merger Mania.”

Rita: I had the opportunity to work with Melissa Landry from Ochsner on a discussion of Merger Mania, and that has been so important because there have been so many physician facilities that are actually merging, buying physician practices, and there needs to be a dedicated process in getting that done correctly. It’s not simply, “I’m going to buy you, and make you part of my team.” There are Information Governance components that have to be demonstrated to make it work correctly.

Question: What best practices did you discuss during your presentation?

Rita: During our presentation today, we talked about best practices for this process of Merger Mania, and we actually took each of the components of Information Governance and threaded that through the discussion; the project management skills required in that; and, actually, the workflow that has to be determined. Because, you often find that the workflow in a physician practice has never been discussed, and you may find that a physician never closes their record, and most of the records will not come into an electronic health record system that you may be trying to merge unless they have actually been closed, which means someone has signed off on those records.

Question: What is MRO doing to address Merger Mania?

Rita: At MRO, we’re doing many things to address Merger Mania—through our acquisition process when we’re bringing on and partnering with a new customer, through the implementation process. We have an assessment phase that helps us do a deeper dive into workflow, and helps analyze those workflow issues. Then, there’s the policy review, which I do, which helps identify policies that the facility may be missing and/or may be complementing policies that we have; or they may be more stringent; or we may perhaps have a policy that’s more stringent, so that sets the foundation for the framework for the implementation team as they go through their education process.

Question: What are some of the biggest trends and themes you’ve noticed at this year’s AHIMA Convention?

Rita: At this year’s convention, some of the biggest trends that I’ve noticed and observed, especially in the general sessions, is that there’s still a focus and discussion regarding Information Governance (IG). There’s still a disconnect from many members thinking they’re not in that IG space. I contend that everything that everybody does in HIM is IG. Everybody is in some kind of lane of IG. It’s not different; it’s not a different domain; it’s one in the same of Health Information Management. The other big thing is population management and how information has got to flow in a way that it can be used in a way that patient privacy is still protected but it actually helps the population management improve health and improvements can be seen—because we still have a way to go there in this country.

Question: What is your favorite part about AHIMA?

Rita: When you ask me what my favorite part about AHIMA is, that’s hard because this is my 43rd convention, so obviously I love to come here. But, my favorite part is seeing friends. Seeing and networking with all the colleagues who I’ve worked with over the years. And, then networking is an excellent way to learn. You stay engaged with someone that’s doing one niche, because you may be working in a different lane, so it helps you stay identifiable into the whole processes. But, the friendships that you’ve maintained through those years is just so vital.

To download slides from MRO’s Merger Mania presentation, complete the form below.

Download MRO’s Merger Mania Presentation

Read More

2017 National AHIMA Convention: Takeaways for Health Information Management Professionals

The American Health Information Management Association (AHIMA) held its annual convention and exhibit in Los Angeles, October 7-11. This year’s event delivered a renewed focus on the profession’s responsibility to protect and govern Protected Health Information (PHI). During the convention, updates for privacy, security, interoperability and information governance were provided. Here is a quick overview of lessons learned at the conference. You can read more in my recent post to HIM Scene’s blog, titled Heard at #AHIMACon17: Lessons Learned for HIM.

Privacy and Security Institute

This year was the 11th anniversary of AHIMA’s Privacy and Security Institute. Speakers from the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR), Federal Bureau of Investigations (FBI) and Health Information Trust Alliance (or HITRUST) joined privacy and HIM consultants for a two-day seminar.

Additionally, MRO’s Angela Rose, MHA, RHIA, CHPS, FAHIMA, Director of Client Relations and Account Management, and I co-presented a session titled, “Developing Best Practices from OCR Audits and Enforcement Activities.” In this session, we offered best practices for HIM professionals based on lessons learned from the OCR’s patient access guidance, resolution agreements and HIPAA Audit Program protocols. You can download a copy of our presentation by completing the form at the bottom of this blog post.

Cutbacks Underway

The position of Chief Privacy Officer (CPO) at the Office of the National Coordinator for Health Information Technology (ONC) has been vacant for the past year, and during this time Deven McGraw, Deputy Director of Health Information Privacy at the OCR, successfully served as acting CPO. Her recent departure, along with other cutbacks, will have a trickle-down impact for privacy compliance in 2018.

Onsite Audits Cease

Yun-kyung (Peggy) Lee, Deputy Regional Manager for the OCR, informed attendees that onsite HIPAA audits would no longer be conducted for Covered Entities or Business Associates due to staffing cutbacks in Washington, D.C. The concern here is that whatever doesn’t get regulatory attention, may not get done.

Interoperability Advances HIPAA

The national push for greater interoperability is an absolute necessity to improve healthcare delivery. However, 30 years of new technology and communication capabilities must be incorporated into HIPAA rules. Old guidelines block us from addressing new goals. We expect more fine-tuning of HIPAA in 2018 to achieve the greater good of patient access and health information exchange.

In an article published shortly before the AHIMA convention, OCR Director Roger Severino touched on the need to modify HIPAA in light of technology advancements and cyber threats saying, “I’ve gotten up to speed on HIPAA, and as the threats evolve, we have to evolve in how we approach it – and we have to be smart about who we target. At most I will say the big, juicy case is going to be my priority and the methods for finding it – stay tuned.”

Luminary Healthcare Panel

This session was a very relevant discussion for my role as Vice President of Privacy, Compliance and HIM Policy at MRO. Panelists provided a glimpse into the future of healthcare while reiterating HIM’s destiny—data integrity and information governance.

Final Takeaway

There is no doubt that HIM’s role is expanding. We have the underlying knowledge of the importance of data and the information it yields. More technology leads to more data and an increased need for sophisticated health information management and governance. Our history of protecting patient information opens the door to our future in the healthcare industry.

To download slides from MRO’s Privacy and Security Institute presentation “Developing Best Practices from OCR Audits and Enforcement Activities,” complete the form below.

To download slides from MRO’s Privacy and Security Institute presentation “Developing Best Practices from OCR Audits and Enforcement Activities,” complete the form below.

Read More

Five Ways CEs can Mitigate Breach Risk Associated with BAs

As advancements in health information technology allow increased access to Protected Health Information (PHI), the risk of breach is on the rise. In 2017 alone, there have been 233 reported data breaches, which have impacted 3,159,236 patients. This steady climb suggests that Covered Entities (CEs) and Business Associates (BAs) are still struggling to establish the measures needed to protect patient data and confidentiality.

CEs must be vigilant about the risks and threats directly related to their activities. And now more than ever, they need to focus on the additional threat vector presented by their BAs. As you would expect, the types of breaches encountered by BAs are similar to the threats facing CEs. The causes of breaches include malware/ransomware incidents, accidental disclosures, loss or theft of media containing sensitive data, physical loss of records, application and system vulnerabilities, social engineering exploits and payment fraud. While there are many different culprits of breach, improper and accidental disclosure of PHI is the most common cause of data security incidents. These improper disclosures of PHI include a wide range of errors such as comingled records and misdirected faxes and emails.

The impact of BA breaches on patients of a CE can run deep—from cases of identity theft to exposure of sensitive information regarding a condition, treatment or test that could lead to harm, embarrassment or discrimination. If fines are levied, sanctions and actions will be held against the CE as well.

In an upcoming AHIMA Convention educational session titled “Essentials for Business Associate Management: Due Diligence and Ongoing Risk Analysis,” my colleague Rita Bowen, MA, RHIA, CHPC, CHPS, SSGB, and I will review ways CEs can mitigate breach risk associated with BAs. The following is a sampling of what we will discuss.

    1. Perform initial due diligence. Identify what services are being performed, where the services are being performed, and what contracts should be in place including Master Service Agreements (MSAs), Business Associate Agreements (BAAs), Nondisclosure Agreements (NDAs), Data Use and Reciprocal Support Agreement (DURSA) and others.
    2. Get your security and compliance teams on board early in the process to avoid delayed services or rushed assessments. I cannot tell you how many meetings I’ve attended with our prospective client’s security and compliance teams, when we are just days away from finalizing a contract, and their opening statement is: “Well this is the first time we’re hearing of this. Let’s start from the beginning.” So, we just lost two weeks getting a project started, and the client needs us to go live in seven days. To avoid these types of delays, it’s recommended to have security and compliance teams involved in the onboarding of new partner services and technologies early in the process.
    3. Have a standard assessment. Have an equal way to measure the risk associated with the various services BAs can provide. No one shoe fits all, but attempting to keep the assessment process as standardized as possible allows for better assessments of risk. This assessment should cover all the applicable administrative, physical and technical controls associated with the services provided—all shoe sizes!
    4. Confirm cyber insurance. Make sure your BAs have adequate cyber insurance protections in the event of a breach—based on the services being delivered and the associated risk.
    5. Perform annual reviews and third-party assessments. Healthcare organizations should implement a formal program to review their BAs on an appropriate schedule. This would include your typical or an abridged assessment and any third-party certifications, accreditations or audits your BA has achieved.

    Complete the form to download the HCPro HIPAA Briefings article “Managing HIPAA Business Associate Relationships.”

Download "Managing HIPAA Business Associate Relationships”

Read More