Why Internal Compliance is NOT Enough…
Whose responsibility is it to be HIPAA compliant? Is it just the doctor’s responsibility? His IT advisor? His vendor? His secretary? The nurses? Is it everyone in the healthcare organization?
We all know that doctors, dentists, chiropractors and other healthcare providers fall under the HIPAA Security and Privacy rule. They are all trying their very best to make themselves compliant. However, what most of them overlooked, is that their business associates, subcontractors, and employees also fall under these rules.
According to the HHS, “Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules’ requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information.” Meaning, anyone who touches and interacts with patient health information, in any way, must protect it.
Any person who does the following:
• Talk to patients directly
• Give out prescriptions
• Take blood pressure
• Manage the firewall for a healthcare environment
• Manage a database that holds patient data
• Encrypt patient data on behalf a provider
… is responsible for HIPAA and HIPAA violations. If they interact with Patient Health Information in any way, healthcare workforce members, third-party vendors and subcontractors are all equally legally bound to comply with HIPAA regulations concerning the security of Patient Health Information.
Third party vendors sometimes think they are exempted to these provisions. Especially those who don’t classify themselves as “healthcare covered entities.” The problem is, the HHS does consider them legally bound to protect PHI and ignorance is not accepted as a legitimate excuse in the HHS’ eyes. That’s why the HHS requires business associate agreements.
According to the HHS, “In addition to business associate agreements, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.”
Provisions from HIPAA Omnibus Rule on business associate rule are as follows:
• Make business associates of covered entities directly liable for compliance with certain parts of the HIPAA Privacy and Security Rules’ requirements.
• Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes and prohibit the sale of protected health information without individual authorization.
• Expand individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
• Require modifications to, and redistribution of, a covered entity’s notice of privacy practices.
Covered entities should review their existing Business Associate Agreements (BAA) to include:
Updating the BAA to state that if the business associate is to carry out the covered entity’s obligations under the Privacy Rule, the business associate must comply with the requirements of the Privacy Rule that apply to the covered entity in the performance of such obligations; and Adding a provision stating that the business associate is directly subject to the Security Rule.
The business associate rule is critical as it helps assure that your business partners are also fully HIPAA compliant.
If Protected Health Information (PHI) is compromised at a healthcare practice, the practice is always considered at fault. A third-party vendor can cause a data breach. Signing a business associate agreement doesn’t exempt them from anything that goes wrong with patient security. If data in the business associate’s possession is breached, they share equal responsibility with the healthcare provider.
What stands between your patients’ valuable data and those cyber criminals, is your vigilance on compliance. It’s not enough that you are internally compliant. Your vendor makes a crucial link to your healthcare compliance chain. Secure your patient data now and break free from business worry.