In 1996 the federal government introduced a law known as the Health Insurance Portability and Accountability Act (HIPAA). The mandates were implemented to improve the process of sharing patient records between health care organizations, as well as to protect the overall privacy of confidential patient information. Since 2009 especially, the department of Health and Human Services, which oversees enforcement of the law, has shifted its attention to ensuring that the privacy rule of HIPAA is widely enforced, Medical Economics explained. The focus has moved to patient information privacy protection because of advances in technology: In the digital age patient health information is primarily stored on computers in the form of electronic health records, rendering them more vulnerable to breaches or cyber attacks.
Effectively complying with HIPAA can be complicated, but it typically involves ensuring that sensitive patient data is fully protected by taking a number of measures, such as implementing software and developing a set of privacy rules for employees. In recent years the Office of Civil Rights, which is a branch of HHS, has introduced a number of trial HIPAA audits for health care companies to ensure that their organizations meet the law’s standards. And in 2016 the number of nationwide audits are set to increase, Healthcare IT News stated.
“In 2016 the number of nationwide audits are set to increase.”
What is “Business Associate” status?
It isn’t just health care organizations that should be concerned about HIPAA compliance, however. A number of companies across an array of industries could be liable to comply with HIPAA under a designation known as “Business Associate” status. The BA status, according to HHS.gov, is a company that does business with a health care organization and uses protected patient health information, or has technology that could access that information. Examples of companies that typically fall under BA status are law firms, data management companies, accounting groups and consultation organizations. Groups that do general business with health care companies, such as catering services or janitorial services are not regarded as business associates, because they do not have permitted access to patient health records. Furthermore, a business involved exclusively with the movement of protected health information, such mailing organizations, are considered to be a “conduit” but not a “BA.”
HIPAA business associates are typically defined as such in any new contract signed with a health care provider they are set to work with, HHS.gov elaborated. It’s absolutely imperative, therefore, that an organization’s human resources department is aware of their company’s BA status, as the provisions may be hidden in the small print of a contract. If a company is indeed regarded as a BA for HIPAA purposes then it’s important they ensure that their company is in compliance with the act’s rules, especially ahead of the OCR audit program set to begin later this year. Just like a health care company, a BA is liable for hefty financial penalties from the OCR if non-compliance is uncovered during an audit, Healthcare IT News noted.
Tips for audit preparation
There are a number of steps that a human resources department at a BA can take to prepare for a potential HIPAA audit. Below is a quick guide to the most effective steps:
- Consulting with the legal department is the first step to ensuring that a company actually qualifies as a BA. Once this has been determined, legal professionals can help with the process of deciphering HIPAA’s many complex stipulations.
- Developing a clear company-wide policy for HIPAA compliance is vital. BAs that have yet to do this should begin the process immediately.
- Once a compliance framework has been put in place, educational seminars for all staff are encouraged to bring them up to speed on what’s expected.
- A security check of a company’s entire information technology infrastructure is necessary: Systems should be up to date, HIPAA approved and problem-free. As Fierce Health IT argued, the worst time to uncover any security problems is just before an audit.
- Organization is also encouraged, Fierce Health IT detailed. The OCR will look more kindly upon a company that has everything in order.
- Holding a drill audit for all staff is also an astute move, according to Healthcare IT News.
The above information is important for all business associates, especially given the fact that BAs are generally less aware of HIPAA than health care companies. In fact, according to the HIPAA Journal, during 2013 alone, due to a lack of HIPAA awareness, BAs were responsible for 40 percent of all recorded patient health information security breaches. Another recent study from Legal Workspace produced similar findings: The investigation discovered that just 13 percent of surveyed BA law firms had the right kind of security measures and technology in place to stay on the right side of HIPAA. The results from both studies demonstrate that more education is needed for health care organization BAs on HIPAA’s myriad mandates.