Organizations that were once “just” business associates of Covered Entities are realizing that they’re subject to HIPAA regulations to the same extent as the Covered Entities they contract with. And with that realization, many are asking about the necessity of completing a Business Associate HIPAA Risk Assessment. But what should such an assessment include? And what are the requirements for protecting the privacy of the Protected Health Information (PHI) they have in their possession?
Some companies are asking about being designated as HIPAA-compliant or having a HIPAA “seal of approval”. Is that possible?
No one, including the government, can give you a “seal of approval” since so much of what an organization has to do to remain in compliance involves individual employees following your policies and procedures. It’s a continual, dynamic process.
Business associate HIPAA concerns
It used to be enough to be sure to have an executed “Business Associate Agreement“. So why should an organization pursue a HIPAA Risk Assessment?
As more and more breaches of privacy of PHI are reported, members of the public are becoming more and more sensitive to the idea that their information may be at risk of disclosure. Business associates and covered entities alike must contact patients when PHI is unlawfully disclosed, and of course all covered entities must already tell their patients who to contact if they have a complaint about privacy – the Office of Civil Rights (OCR) of the Health and Human Services Department.
When it comes to complying with HIPAA, business associates need to be proactive
So how should you prepare? What if a client asks you about your HIPAA compliance activities? Or imagine being contacted by a representative from the Office of Civil Rights launching an investigation because of a complaint from someone who is claiming their privacy was breached?
There are at least four things that would be important to have on hand:
1) Your HIPAA Privacy and Security Risk Assessment,
2) Your Privacy and Security policies and procedures (updated for changes as necessary),
3) Your evidence of training your employees in those policies and procedures, and
4) Your evidence that you do some auditing to see if your policies and procedures are being followed.
If you ever have a breach, due to a failure of some technical methods to protect Electronic Personal Health Information (ePHI), or because of an employee who fails to follow the rules (or defeats your security measures), you want to be in the position of engaging in good-faith efforts to comply with the regulations. The organizations that get slapped with penalties, etc., usually have some deficiency in the items I listed above. Being proactive will make everything more manageable.
Integrating HIPAA into daily practice is the new norm for business associates
The good news is, the regulations are worded rather generally, and organizations must decide how they reasonably apply in their own circumstances. The bad news is, the regulators who investigate complaints and breaches also apply their own logic or rationale to your situation, and second-guess the reasonableness of your security and privacy practices. You can get some idea of their thinking on various issues by looking at the FAQ’s on the OCR website, but ultimately they always refer back to the actual text of the regulations – and how a reasonable person may choose to comply with them.
So remember, HIPAA compliance is a long-term proposition. You have to stay abreast of changes in regulations, keep your workforce trained, and set a tone of compliance as a business necessity, not just a regulatory requirement.