Previously HIPAA was only enforced at the Covered Entity level, (e.g. Hospitals, Insurance Companies, Healthcare Providers, etc) and the covered entity may have had contractual obligations with their third party providers. New provisions include "Business Associates" in the compliance regulations. These BAs are considered to be any organization that’s responsible for the storing, accessing, or processing of Protected Healthcare Information (PHI) and normally includes organizations such as third party data centers, third party administrators (TPA), vendors used to process health data, courier services, and many more.
What is required of Business Associates?
Compliance with HITECH, which includes the HIPAA security rule and breach notification requirements. This can be a daunting task for some service organizations, as the HIPAA security rule is organized into three categories (1. Administrative Safeguards; 2. Physical Safeguards; 3. Technical Safeguards) and within these three categories there are 18 standards and 36 implementation specifications (implementation specifications are similar to controls or safeguards). The HITECH act imposes penalties for noncompliance due to willful neglect and authorizes Health and Human Services (HHS) to investigate any complaint of suspected noncompliance. In the event of noncompliance, the violating party may be subject to civil monetary penalties that can range from $100 to $1,500,000 per violation. HITECH also requires HHS to perform random audits to ensure that covered entities and business associates are in compliance.
What can you do?
Perform a risk assessment and compare your internal controls and procedures against the HIPAA security rule and Breach notification requirements. Identify non compliance issues and implement a plan to make your organization conforming to HITECH.
Want more information on HIPAA HITECH Compliance? Please post a comment below or contact our Risk Advisory Services Group at 440-449-6800.
Looking for additional ways to grow your business? Visit us at www.skodaminotti.com. Or, subscribe to the Skoda Minotti Blog, follow us on LinkedIn, Twitter @skodaminotti, and Facebook or simply contact us at any one of our four office locations: Cleveland, Akron, Westlake or Tampa.