The Health Insurance Portability and Accountability Act (HIPAA) enacted in 1996, mandates standards-based implementation of security controls by all healthcare organizations that create, store or transmit electronic Protected Health Information (PHI) . Further in May of 2011, the Department of Health and Human Services’ Office for Civil Rights (OCR) published a proposed rule, managed under the HITECH, Health Information Technology for Economic and Clinical Health Act, which brings additional compliance standards to healthcare organizations. If the final rule closely follows what was proposed, requirements on covered entities (providers, payers and claim clearinghouses), their business associates (Bas), and subcontractors of BAs will become more stringent. In addition, what previously existed only as a contractual obligation would become a regulatory requirement.
The proposed rule puts new requirements on BAs as well as subcontractors, who currently are not subject to the rule under the law’s definition. The rule also broadens the definition of the BAs.
A covered entity that knows about noncompliance by a BA must take reasonable steps to protect health information of the covered entity. Industry officials also predict covered entities will tighten language in Business Associate Agreements to ensure that BAs and their subcontractors immediately report any breaches of Protected Health Information (PHI) as well as require BAs to conduct scheduled security rule risk information on who the subcontractors are and their duties, such as shredding documentation or destroying old hard drives.
BAs should also expect to do more oversight of their subcontractors, under the final rule. For now, covered entities should begin to enhance existing security oversight to be pre-emptive in anticipation.
So while there are impending changes, as a healthcare organization, what should you be doing? As an organization which directly deals with PHI, you should:
- Designate a Privacy Officer
- Develop and implement policies and procedures
- Implement appropriate safeguards and mitigate any effects of disclosure of PHI
- Conduct workforce training and employ sanctions for violations
- Identify a complaint process
- Ensure documentation is retained in secure environment (for 6 years)
RMS Healthcare is and remains very prudent in our actions to ensure privacy and integrity of the PHI of our clients. We work diligently to ensure that we have a signed business associated agreement with all of our clients and proper procedures and policies are in place.
We also assist employers with employing resources to ensure compliance with HIPAA mandates. We can offer Privacy and Security videos, assist with policy and procedural development and can host staff trainings. If you are interested in learning more about how RMS Healthcare can assist your organization to ensure HIPAA compliance, contact Susan Maxsween, Manager, Healthcare Transformation at SusanM@RMSresults.com or by calling 315.635.9802.
[…] But, with sharing of personal experiences and asking of questions, it is paramount that HIPAA compliance remains at the forefront. Patients, providers and healthcare delivery systems must be prudent in […]
[…] HIPAA Compliance […]
[…] Healthcare can provide consultation and training services to ensure HIPAA security compliance within your organization. If you would like to learn more about HIPPA provisions or further discuss […]
[…] business operations is truly impressive. In just a short period of time, I have received certified training for the Health Insurance Portability and Accountability Act (HIPAA), become familiar with the database that stores extensive contact information, and assisted with […]
[…] management, Patient Centered Medical Home (PCMH), Specialty Care Program Recognition (SPR), HIPAA Compliance Training, Strategic Business Planning and practice operations assessments. We are also a certified CAHPS® […]
[…] Don’t try to do it all. The security rule is so complicated that hiring a compliance consultant is a must. […]
[…] (RMS). With our large number of hospital and international healthcare clients, we must abide by HIPAA regulations as a service-provider. We also exchange non-healthcare customer information that needs to be kept […]
[…] Healthcare can provide consultation and training services to ensure HIPAA Privacy and Security Compliance within your organization. If you would like to learn more about HIPAA Privacy and Security […]