The Health Insurance Portability and Accountability Act (HIPAA) enacted in 1996, mandates standards-based implementation of security controls by all healthcare organizations that create, store or transmit electronic Protected Health Information (PHI) .  Further in May of 2011, the Department of Health and Human Services’ Office for Civil Rights (OCR) published a proposed rule, managed under the HITECH, Health Information Technology for Economic and Clinical Health Act, which brings additional compliance standards to healthcare organizations.  If the final rule closely follows what was proposed, requirements on covered entities (providers, payers and claim clearinghouses), their business associates (Bas), and subcontractors of BAs will become more stringent.  In addition, what previously existed only as a contractual obligation would become a regulatory requirement.

The proposed rule puts new requirements on BAs as well as subcontractors, who currently are not subject to the rule under the law’s definition.  The rule also broadens the definition of the BAs.

A covered entity that knows about noncompliance by a BA must take reasonable steps to protect health information of the covered entity.  Industry officials also predict covered entities will tighten language in Business Associate Agreements to ensure that BAs and their subcontractors immediately report any breaches of Protected Health Information (PHI) as well as require BAs to conduct scheduled security rule risk information on who the subcontractors are and their duties, such as shredding documentation or destroying old hard drives.

HIPAA Training Videos

BAs should also expect to do more oversight of their subcontractors, under the final rule.  For now, covered entities should begin to enhance existing security oversight to be pre-emptive in anticipation.

So while there are impending changes, as a healthcare organization, what should you be doing? As an organization which directly deals with PHI, you should:

  • Designate a Privacy Officer
  • Develop and implement policies and procedures
  • Implement appropriate safeguards and mitigate any effects of disclosure of PHI
  • Conduct workforce training and employ sanctions for violations
  • Identify a complaint process
  • Ensure documentation is retained in secure environment (for 6 years)

RMS Healthcare is and remains very prudent in our actions to ensure privacy and integrity of the PHI of our clients.  We work diligently to ensure that we have a signed business associated agreement with all of our clients and proper procedures and policies are in place.

We also assist employers with employing resources to ensure compliance with HIPAA mandates.  We can offer Privacy and Security videos, assist with policy and procedural development and can host staff trainings.  If you are interested in learning more about how RMS Healthcare can assist your organization to ensure HIPAA compliance, contact Susan Maxsween, Manager, Healthcare Transformation at or by calling 315.635.9802.