HIPAA and Your Business Associates

The number of claims filed under the Health Insurance Portability and Accountability Act (HIPAA) have spiked recently. The latest figures from the U.S. Department of Health and Human Services (DHS) show that the government is increasing its enforcement efforts regarding the federal privacy law.

The U.S. Office of Civil Rights (OCR) has reported that it has received over 115,929 HIPAA complaints and initiated over 1,216 compliance reviews since the final HIPAA Privacy Rule was enacted in 2003. 23,580 of those reviews have required businesses to make changes to their privacy practices or otherwise face corrective actions. Additionally the OCR has, to date, imposed nearly $26.4 million in fines for HIPAA privacy, security, and breach notification violations.

According to the recent enforcement data, HIPAA issues most commonly investigated are improper use or disclosure of protected health information and lack of adequate data protections. Even if data is not exposed, an organization can be fined for bad policies and practice that put data at risk of exposure.

Among the processes that can affect a company’s compliance position are its business associates, which are defined as any organization, company, or contractor that works on behalf of, or for, a covered entity. If the third party has access to patients’ Personal Health Information (PHI) to help the covered entity carry out its health care functions, that third party is considered a business associate.

HIPPA Agreements For Business Associates

A covered entity’s formal agreement with its business associates must include the following information, according to HHS:

  • A description of the permitted and required PHI uses, as concerns the business associate
  • An agreement that the business associate will not use or further disclose PHI other than as permitted or required by the contract or as required by law
  • A declaration of the potential consequences should sensitive information be exposed
  • A requirement that the business associate use appropriate safeguards to prevent inappropriate PHI use or disclosure

Business associates, under HIPAA, are legally responsible for the protection of PHI, by law:

“A business associate may use or disclose protected health information only as permitted or required by its business associate contract or as required by law. A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.”

Covered entities and business associates must collaborate on HIPAA compliance. Data breaches are becoming all too common, and many companies/contractors may not realize that their computer networks have been compromised until months after the fact. Additionally, without a solid working knowledge of data security best practices, detecting potential weaknesses is an impossible task.

BAI Security’s compliance Controls Audits and Risk Assessments evaluate an organization’s existing policies and procedures against applicable compliance and legal standards. Additionally, the audit identifies reasonably foreseeable risks that could lead to service interruption or unauthorized disclosure, misuse, alteration, or destruction of confidential information.

Our Security Awareness Training helps boost an organization’s information security posture by increasing employees’ understanding of security threats and the damage they can cause. Our training utilizes a unique approach to adult learning, setting a new standard in efficacy and knowledge retention.

BAI-Logo

Posted in BAI Security Blog.

Leave a Reply

Your email address will not be published. Required fields are marked *