To ensure HIPAA Compliance, Covered Entities and Business Associates must comply with the latest HIPAA Privacy, Security, Enforcement, and Breach Notification Rules since Sept’ 2013. Have an industry professional walk you through the steps personally, or use our “Do-It-Yourself” (DIY) online toolkit to ensure compliance with the latest HIPAA/HITECH privacy, security, and breach standards.
For Healthcare Practices and Business Associates
HITECH and HIPAA Compliance Consulting Service
Performed by a certified consultant
Prioritization and mitigation of risks
Privacy and data breach standards
Reports required by regulatory agencies
Online Do-it-Yourself HIPAA/HITECH Assurance (HHA) Toolkit
Save money by performing HHA in-house
Action plans with pre-populated solutions
Privacy and data breach assessment
Download and print reports
Optional consulting service
Who is affected:
A covered entity or business associate needs to legally comply with the federal HIPAA/HITECH security, privacy, and breach rules/standards to protect individuals’ electronic protected health information (ePHI) that is created, received, used, or maintained. The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses, business associates, and those health care providers that conduct certain health care transactions electronically. The security rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The breach rule covers the breach notification procedures introduced by HITECH act for unsecured protected health information.
What needs to be protected:
The privacy rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections. The HIPAA Security Rule lists 28 administrative safeguards, 12 physical safeguards, and 12 technical safeguards, along with specific organizational policy and procedural requirements. The breach rule guidance requires encryption and proper data disposal as technologies and methodologies for rendering protected health information as well as PHR identifiable health information unusable, unreadable, or indecipherable to unauthorized individuals, such that breach notification is not required.
Our HITECH HIPAA Compliance Assurance Services include:
EHR 2.0 HITECH and HIPAA compliance assurance services help healthcare organizations discover the gap areas based on the required and addressable requirements. Our privacy, security, and breach compliance assessment include all requirements listed in the act. Our HIPAA security assessment first identifies the 18 ePHI elements using our proprietary identification and profiling method for reasonable and appropriate protection of electronic protected health information.
- Confidentiality : Limiting information access and disclosure to only authorized users (the right people)
- Integrity: Trustworthiness of information resources and (no inappropriate changes)
- Availability : Availability of information resources (at the right time)
Our Major Deliverables Include:
– Information Security Policy
– Unprotected PHI Data Breach Policy
– Notice of Privacy Practices
The HIPAA Privacy Rule covers protected health information in any medium while the HIPAA Security Rule covers electronic protected health information.
You can get more information from HHS(Health and Human Services) at http://www.hhs.gov/. . For any specific question or service request feel free to contact us at firstname.lastname@example.org.
The American Recovery and Reinvestment Act of 2009, Section 13411 of the HITECH Act, requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. To implement this mandate, OCR perform audits of covered entities to assess privacy and security compliance. For more information about the program visit http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html.
Security standard mentioned under HIPAA should be reviewed and modified as needed to continue provision of reasonable and appropriate protection of electronic protected health information. Typically, depending on your organizations size, once in every 6 months is recommended. Also, if there is any major change in process flow, technology set up , staff etc, it is wise to review it.
Document why it is not applicable and implement an equivalent alternative measure if reasonable and appropriate.
If the standard is stated as “Addressable” the covered entity must assess if the implementation specification is reasonable and appropriate in its environment with reference to e-PHI. If applicable then take measures to implement it.
If the standard is stated as “Required”, a covered entity MUST comply with that standard.
While “Standards” defines what a covered entity must do, “Implementation Specification” describes how it must be done. There are two types of specifications, those that are “required” and those that are “addressable”.
A standard is a provision of the security rule that all CE’s and BA’s must comply with, specifically with respect to ePHI, there is no exception. There are 18 standards in Security Rule.
Complying with HIPAA/HITECH regulations is a federal mandate. Besides, ensuring privacy and security of electronic health information is a key component to build trust with patients, other providers and other business partners. If individuals and other participants in a network lack trust in electronic exchange of information, due to perceived or actual risks of such information, it may affect their willingness to disclose necessary health information and could affect business growth.
The term "business associates" refers specifically to a person or organization that conducts business with the covered entity that involves the use or disclosure of individually identifiable health information. Business associates include those that perform services on behalf of the covered entity, such as claims processing, data analysis, utilization review, and billing, or provide services to the covered entity, such as legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. To be a business associate,under the definition, the work of an organization must deal directly with the use or disclosure of protected health information. Additionally,the HITECH Act also specifies that an organization that provide data transmission of PHI to a covered entity and requires access to PHI routinely will be treated as a business associate
All covered entities must comply with the HIPAA/HITECH Rules. In general,
the standards, requirements, and implementation specifications of HIPAA
apply to the following entities:
1. A Health Care Provide
2. A Health Plan
3. A Health Care Clearinghouse
4. Business Associates.
If there is any breach, it is the responsibility of the covered entity to work with their BA and assess the damage. Necessary steps should be taken to resolve it.
No. If the patient information is shared purely for treatment purpose, there is no need of BA contract between parties.
YES. Since they are handling your ePHI data, it is a federal regulation to have BA contract with them.
No, you don’t need to have BA contract with these entities. If the patient information is shared purely for treatment purpose, there is no need of BA contract between parties. However, if you are using any service providers for your claims and processing, you need to have BA contract signed with those entities.
No. There are exceptions to whom you need to have BA agreement with. Services like Janitorial or Electric doesn’t need to sign a BA contract with you.
Yes. HIPAA/HITECH regulations requires that you have a contractual agreement with your BA in order to protect the data they have Experts at EHR 2.0 can help you with such contracts. You can reach us at email@example.com
- Must comply with HIPAA Privacy, Security and Breach Rules
- May not use or disclose PHI
- Minimum necessary use
- Civil and criminal liability directly
If PHI is shared for treatment purposes, it's not considered as business associate relationship:
- Physician Services
- Nursing Services
- Laboratory Services
- Radiology Services
- Physical Therapy
- Occupational Therapy
- Bank Services
- Courier Services
- A third party administrator that assists a health plan with claims processing.
- A CPA firm whose accounting services to a health care provider involve access to protected health information.
- An attorney whose legal services to a health plan involve access to protected health information.
A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
As per the contractual agreement between CE and BA, CE’s can audit the business associates. Any breach by BA’s will affect the CE’s. However, CE’s cannot force BA’s to audit their facilities. BA’s who doesn’t cooperate for an audit is a red flag and their business relationship should be revisited.