Written by: John Lynn
Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.
John Lynn’s post “Covered Entity is Only One with Egg on Their Face” is good warning to healthcare providers: as HIPAA enforcement gains teeth, you are responsible for breaches caused by your business associates. The increase in HIPAA enforcement, penalties and current ONC audits make it clear that ignorance of adherence to HIPAA by your business associates (BA) is not a valid strategy.
In fact, the Poneman Institute Study cites 46 percent of breaches as caused by BAs, yet the covered entity (CE) is responsible for 100 percent of them from a legal prospective.
The time for inaction regarding your BAs is over. Now is the time to confront the issue head-on. The good news is that it costs less in the long run to prevent breaches than it does to pay for breaches committed by your BAs. Here’s how to get started.
It’s Time to Act
The same policies and procedures that you have implemented for yourself are applicable to your BAs. Of course, since the BAs do not report through your organization, the best way to assume compliance is through your contracting process.
It is not enough to just put it in the contract. In the old “trust but verify” school of management, your contract must also contain avenues of verification. That can include surveys, reports, audits, policy and procedure manuals, etc. This due diligence at contracting time pays off in many ways when ONC auditors knock on your door.
The due diligence must be a continual process, not just “once and done”. The laws are changing and Health and Human Services (HHS)’s Office of Civil Rights (OCR) is implementing new risk audits in 2012 to test your readiness. New breach notification and accounting of disclosure rules are imminent and will further tighten the laws. Also, many institutions focus on the Privacy Rules, while paying less attention to the Security Rules. The privacy rules focus on the “what,” while the security rules focus on the “how” of compliance.
To protect yourself, you should be doing self assessments using both internal and external auditors. Anything you do for yourself should be considered for your business associates.
Simple Encryption Goes a Long Way
Most accidental large-scale breaches are caused by lost or stolen electronic devices. The small one or two patient breaches are much less of a publicity problem but still require a risk assessment. The small breaches are going to happen; it is inevitable. The large breaches carry a higher degree of severity.
To prevent large breaches, it is essential that BAs which use electronics have the same tight policies and procedures in place that you do (or should). They can go beyond the HIPAA-mandated policies. One practice that should be implemented is encryption.
Remember, a lost electronic device that contains encrypted data is not considered a reportable breach. Encryption is a logical first step that, while not yet HIPAA mandated, will save considerable pain and expense over time. Notice it is only a first step. There are other security technologies available that will call a central location to pinpoint a device’s location. Further, they can wipe themselves clean if not accessed properly or in a given timeframe.
Paper Breaches Also a Concern
And providers shouldn’t lose sight of paper medical records and how BAs are using them. In fact, many breaches to date have involved paper. Understand how your BAs use paper records and patient information. Is it going off site? If so, there should be established policies and procedures.
Any access to paper records and appropriate destruction of those records must be HIPAA compliant. Locked bins for disposal and state-of-the-art shredders are a must at the provider’s site and the BA’s office. Do not let paper records lay around on desks and make sure all personnel are trained in the handling of paper records.
Training and Education for All
Training and educating are the foundation of any compliance program. BAs should have an in-depth training and education program that is as robust as that of the covered entity. Best practices make training an ongoing, living process with regular updates and mandatory attendance at classes.
Making the effort to fend off unauthorized disclosures will go a long way toward mitigating risk. Staying in front of the threat curve is difficult but not impossible. Remember to apply lessons learned to your BAs so you aren’t the only one with egg on your face!