It’s More Than Just an IT Problem

Not every HIPAA security requirement is related to technology. Just two of the requirements to keep in mind when you work to make your company HIPAA compliant include Business Associate Agreements and Risk Assessment.


HIPAA Requirement for Business Associate Agreement


In addition to your IT department’s need to keep Protected Health Information (PHI) in electronic form secure, you need to consider issues not related to technology. For example, if a company you work with is considered a business associate under HIPAA, this means you must have a business associate agreement (BAA) in place with them before transmitting PHI to them. This BAA is a contract to uphold PHI security according to HIPAA guidelines. Failure to have the (BAA) in place at the proper time can result in fines and other penalties.


In a recent case, a surgical practice ended up having to settle with the Office of Civil Rights of the U.S. Department of Health and Human Services (OCR) for $750,000 after it improperly disclosed several thousand patients’ PHI to a service provider without first entering into a BAA with the service provider. This service provider had agreed to digitize x-rays containing PHI, in exchange for extracting and keeping the silver from the x-ray film. While this provider’s service might not appear at first glance to be related to health care, the fact that the x-rays contained PHI and the provider “created, received, maintained, or transmitted” the PHI without a BAA in place made all the difference in this case.


HIPAA Requirement for Risk Assessment


HIPAA requires all covered entities, their business associates, and subcontractors of business associates to conduct a risk assessment. As stated in HIPAA these entities must, “…implement policies and procedures to prevent, detect, contain, and correct security violations.” Further, a risk assessment is defined as a, “…thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.”


In another case, a Minnesotabased health care company paid a $1.5 million settlement after one of its business associates was investigated. A laptop containing PHI for the health care company’s patients had been stolen from the car of one of the business associate’s employees. The health care company was penalized both because there was no BAA in place between it and its business associate, and because it had not conducted an adequate analysis to the security threats to the PHI.


HIPAA Audits, Phase 2 – Business Associates May Also Be Audited


As we mentioned in our recent post, “Is Your Business Affected by HIPAA Regulations,” the OCR launched Phase 2 of its HIPAA Audit Program on March 21, 2016. In this phase, any covered entity or business associate may be audited. Per the OCR, these audits can involve onsite assessments or desk audits.


Need to Learn More about HIPAA Compliance?


If you’d like to learn more about how HIPAA compliance may affect your business, Aperio-IT will be holding a free Lunch and Learn Event on Wednesday, June 8. Brian Olsen, HIPAA Security Advisor, will be joining us to help answer your concerns about HIPAA regulations. You can find out details and register here to attend.


You can also take a look at our previous HIPAA-related posts: