Introduction:

Over the past couple of years with HITECH and now the HIPAA Omnibus Rule, there are higher restrictions with business associates and their vendors.  I want to spend some time talking a little bit about that today.

Slide: Agenda

First of all let’s lay out a quick agenda.  I want to talk about HIPAA, HITECH, Omnibus, and how it relates to the Business Associate.  Then we’ll give some background about the relationships those healthcare organizations have with healthcare entities and medical practices.  After, we’ll wrap things up by talking about what comes next; what will be the next step for entities, what will be the next step for Business Associates.  Then we’ll have a summary and Q&A section.

Slide: HIPAA, HITECH, and The Business Associate

First of all, let’s talk about this idea of a Business Associate.  In the HIPPA world we have a couple different types of organizations.  Generally, we know the covered entity gets the most HIPAA exposure; but it’s important to understand that a Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.  So, organizations that provide services to position practices, hospitals, insurance companies are considered Business Associates.

Slide: HIPAA, HITECH, and The Business Associate ctd.

The important phrase in that definition is “certain functions or activities”.  First thing is disclosures.   At this point, a disclosure is the release of some patient information to a third party.  There are some Business Associates or vendors of medical providers that have to make disclosures in some cases.   The main term, or general term, is that of services.

I also want to spend some time talking about this idea of reasonable and appropriate safeguards.  Anybody who has worked with Business Associates knows that you have business associate contracts in place. If you’re a covered entity, a provider or insurance company, you have contracts with your vendors; if you’re a vendor you have contracts with your clients.  In those contracts, which are called, Business Associate Agreement or Business Associate Contracts, the names are used synonymously; there is certain language in there that suggests that a Business Associate has to take reasonable and appropriate safeguards.

Slide: Safeguards- Not Just Vague Language

Now I am going to talk about a bit about that language and what that means.  When we talk about this concept of safeguards it specifically mentions in Business Associates contracts about administrative, physical, and technical safeguards.  In my experience working with a lot of companies, those statements are sometimes interpreted as just safeguards.  And what I think Business Associates are learning more and more is that administrative, physical, and technical safeguards are very specific HIPAA requirements and citations.  So, the point I want to drive home here is when you’re engaged with a Business Associate, or if you’re a Business Associate engaged with a client those terms are very specific HIPAA requirements.  When you’re signing a Business Associate Agreement, understand that you’re committing to meeting those requirements.

Slide: Add HITECH/Omnibus to the Mix

A little bit of history on HIPPA.  We know that it came out in 1996 and that from privacy prospective we’ve all had patients sign HIPAA forms, or signed them ourselves as patients.  Well, the HIPAA rules have changed a little bit over the years.  In particular, the first major change that occurred was when the HITECH Act was introduced in 2009.  HITECH was a part of the American Reinvestment Act stimulus package, and it stands for the Health Information Technology for Economic Recovery and Reinvestment Act of 2009.  There were a number of things that were put into that whole stimulus plan.  First was the introduction of what we now call Meaningful Use; in other words, there were incentives available for  providers who had not yet implemented medical records in electronic form to do so.  The second part of that entire measure was around educating the workforce and the providers on electronic medical records and technology within the healthcare industry.  What is really not widely known is that a good portion of that HITECH Act was set aside to redefine and restructure some portion in HIPAA.

Slide: Post-HITECH/Omnibus HIPAA

The second thing that happened over the last four weeks was we were introduced to the HIPAA Consolidated Omnibus.  The consolidated omnibus was a combination of rules that had changed over the years plus the introduction of new requirements that were added, in what I’m calling “HIPAA 2.0”.  We had some minor revisions along the way and now we have our second version of HIPAA.  So let’s now talk about HITECH and omnibus and what changed relative to HIPAA.  First of all, the physicians who are attesting to meaningful use to receive their incentive, there were specific HIPPA requirements built into the whole Meaningful Use standard.  Enforcement changed; there were increases in the maximum level of fines, there were also various entities that were made responsible for enforcing HIPPA violations.  The other thing that changed is HIPAA ignorance is no longer tolerated.  This means that if there is a violation, in the past, it was frequent that an organization would claim they simply didn’t know they had to comply here or have to comply there, and often times they would get a slap on the wrist and be put in a position where they could remedy the situation.  Well that has changed, and at this point if you are ignorant of your responsibilities that puts you in the category of willful neglect.  The other major piece, the core of this presentation, is the fact that Business Associates and Subcontractors now have the same HIPAA responsibilities as the Covered Entities they service.  This one is key because this one says that the Business Associate has to be HIPAA compliant, and so do their vendors.

Slide: The Business Associate Relationship

I am going to lay out the way HIPAA sees the Business Associate relationship.  Covered entities are your providers, your hospitals, your insurance companies, your clearing houses.  Generally, those covered entities have vendors or groups that provide services; these are defined as the Business Associates.  Additionally, those Business Associates may have companies that provide services, and those organizations in the HIPAA world are called subcontractors to the covered entity.  The Business Associate has responsibilities to the covered entity, and the subcontractor has responsibilities to the Business Associate.  There is a fourth type of organization called a conduit; this is an organization like the US Postal Services or UPS.  Ultimately, that conduit has responsibilities to all three of those.  However, the one thing that has changed is that conduits are exempt from HIPAA compliance for a number of reasons.

Slide: Post-HITECH/Omnibus HIPAA

Now we will go into detail about what changed relative to HITECH and Omnibus as it relates to Business Associates.  One, as mentioned before, is that Business Associates and Subcontractors must comply with all HIPAA Security Rules and relative Privacy Rules.  Business Associates and Subcontractors are now liable for any misuse or failure to safeguard protected health information (PHI).  Business Associates and Subcontractors must have a relative Breach Notification Process; Business Associates now have the responsibility to identify, recognize, and report breaches through the chain accordingly.  Business Associates and Subcontractors are required to provide access to a copy of the electronic protected health information (ePHI) to the covered entity when requested.  For example, if you have electronic medical record software and you request an electronic copy of that medical record, the Business Associate is obligated to provide that to you in a type of disclosure.  Lastly, Business Associates and Subcontractors must provide access to PHI in the event of an audit.  This means that if a Business Associate is chosen for a HIPAA audit, they would have to provide access to the records in the same way that a provider would have to give access to the records.

Slide: HIPAA Compliance Responsibility

I am going to further dive into the responsibilities of the organizations.  So, the Covered Entities, the Business Associate, and the Subcontractor all have responsibilities to achieve and maintain HIPAA Compliance.  All Business Associates may not apply or have relevant compliance responsibilities to each area under the administrative simplification.  It may just be security, depending on the rule, and the purpose they serve.  I also note here that the Conduits do in fact not have HIPPA Compliance Responsibilities.

Slide: Business Associate Impact

Let me explain a little bit why the government is putting significant effort in making sure that the BA’s and their vendors are meeting compliance.  These stats were pulled from the Office for Civil Rights Health and Human Services, known as the “wall of shame”; it’s when an organization has a breach of 500 or more individuals who are affected by that breach.  Ultimately, between September 2009 and December 2012, there have been breaches and the number of patients affected by those breaches is 21,516,294.  The numbers that stand out to me are that Business Associates were involved in 21% of those breaches; when you look at the total individuals affected, Business Associates were responsible for 57% of the individuals breached.  What were saying here is that the healthcare organizations whose patients were breached, 57% of those individuals was the fault of one of their vendors.  As you look at the average individuals per breach, when a BA is involved, there is an average of 106,698 individuals involved per breach.  Anybody that has had to deal with a breach knows that it has to be dealt with in terms of cost per individual per breach.

Slide: The Covered Entity’s Perspective

So, let’s look at it from the Covered Entity’s perspective.  So, we may have organizations on this call that are providers or Business Associates.  I am first going to draw out some enforcement activities, specifically, the categories of enforcement that have been laid out.

The worst possible scenario is to commit a breach or have an audit and be in a category of willful neglect where nothing is corrected.  The second willful neglect category is where the violation is corrected.  The third category, which is less severe than the other two, is due to reasonable cause and not willful neglect.  The final category, and the best scenario you could be in if a breach does occur, is by exercising reasonable diligence would not have known.   Understand that, in the event of a breach, or in the event of an audit or investigation, recognize that a fine or penalty is extremely likely, where you fall on this spectrum is directly proportional to the amount of work you’ve done to become compliant and stay compliant.  The purpose of this slide is that with the increasing degree of effort, you decrease your decrease your degree of HIPAA Compliance Risk.

Slide: The Covered Entity’s Relationships with Business Associates 

Now, let’s talk specifically about the Business Associate relationship and how that factors in.   I drew the same parallel with the increasing degree of HIPAA Compliance effort by the Covered Entity, Business Associate, and Subcontractor and its relationship to the decreasing degree of HIPAA Compliance Risk to the Covered Entity.

The worst possible scenario that can exist is that you could be doing business with an organization, a Business Associate, and have no BA contract in place.  Obviously, the next best step is to have a BA contract in place.  The next best step, relative to impact of the Covered Entity, is if the Business Associate or Subcontractor has conducted a risk assessment.  The next best step is that the BA or Subcontractor is taking necessary steps to compliance.  The most optimal step is if the BA or Subcontractor   produces proof of HIPAA Compliance.

Now, there’s a couple of questions any myths that float around, and I’ll go over those later, but it’s important to understand that the further you take this HIPAA effort, the decreasing amount of risk you’re presenting to your client.  One of the questions I often ask is is there a see no evil, hear no evil mentality for HIPAA.  In other words, if I don’t do a risk assessment and I don’t uncover anything that’s vulnerable, am I in a worse position than if I were to discover it and uncover it.  The answer is yes.  If you elect not to perform a risk assessment or to take yourself down the path of business and healthcare and you haven’t done, at the minimum a BA contract or risk assessment, you’re in this situation of willful neglect.  In other words, the government or auditor would rather see you do something and perhaps not achieve 100% compliance, but do something on that path as opposed to doing nothing.  And of course, as you can imagine, the level of fines and enforcement are relative as you cross the spectrum.

Slide: Common Questions

So I said I’d go over some common myths and questions.  First, is the Covered Entity responsible for their Business Associate’s or Subcontractor’s HIPAA Compliance, or vice versa?  And the answer to that is no.

Second, is the Covered Entity responsible for engaging in relationships with HIPAA Compliant Business Associates and Subcontractors?  And the answer to that is absolutely.  The Covered Entity has a responsibility of diligence that they have to execute in making sure that they’re doing business with those who will protect their information.

The last question I’m commonly asked is if the Business Associate or Subcontractor claims HIPAA Compliance, does this imply that the Covered Entity is HIPAA Compliant?  And the answer to that is no.  This is very common, and I’ll give you a great example of where I see this.  When a practice or a provider implements and electronic medical records software and that EMR software developer produces a HIPAA Compliant statement, many organizations believe that because they have that in hand that they have filled their HIPAA Responsibilities.  When, in actuality, that’s not the case.  The practice, provider, health system insurance company has to do their own HIPAA Compliance measures.

Slide: HIPAA Compliance of Business Associates and Subcontractors

As I see it, in the HIPAA world, when you’re working with a Business Associate you have two types of compliance that should be measured.  The first is solution compliance.  For example, I’m going to use the idea of an electronic medical record solution.  The solution means that the EMR is HIPAA compliant and is hosted in a HIPAA compliant Facility.  In other words, the development of that application includes all the measures to control items such as having everyone use their I.D., having audit trails within the EMR, and other factors.

However, on the institutional compliance side I’m looking for that EMR Company and Hosting Company to have gone through an exercise to make sure that they have all the correct policies and procedures in place, to make sure their employees have been trained, to make sure they have a disaster recovery plan in the event that wherever their EMR is hosted was essentially taken care of in the event of a disaster.  So I’m looking at it from two perspectives, and it’s important that as you deal with your Business Associates, you look at it as well.  Another example would be a basic shredding company.  For example, I know that now a days that a lot of shredding companies will actually drive a truck to your office where they shred it on site.  So in other words, they’re showing you a HIPAA compliance solution.  However, my question to them is have your employees been trained? Do you have policies around sanctioning employees if they happen to commit a HIPAA violation?  So there are two areas to make sure are reviewed in this process.

Slide: A Healthcare Scenario

I also mentioned earlier that I would lay out a scenario of a basic single doctor healthcare practice and show you the complexities that exist.  You’re looking at a diagram that shows a physicians practice in the left corner.  That physician practice may use an electronic medical record that is hosted in the cloud.  That cloud has a disaster recovery site and is also connected with the medical record company.   That practice may also use an It Services company that works with their local work stations and servers, a document destruction company to do their shredding, they may also interface with the lab and the insurance company.  So when you start laying out this scenario, and you look at where the PHI is located, what you find is that PHI owned by the doctor is in a lot of different places.  Therefore, when you start looking at who has HIPAA Responsibility, everybody who has physical or technical visibility to that patient information is responsible for HIPAA Compliance.

Slide: What constitutes compliance?

The other important thing is to recognize what constitutes compliance.  For example, I always look at it in a three pronged approach.  When you look at things you have within your business; you have antivirus software, everyone has a login I.D., you do backup and recovery.  You have the technical capabilities to do this which I lumped in this whole category called safeguards.  To the left of that is policy; you have to have policy and procedures surrounding each one of those.  In other words, how often do you backup?  Who does it?  How is it done, how is it recovered?  The third, and most important, is to be able to prove that.  It’s great in practice to say “I do ABC”, but it’s something different in an audit situation when you have to prove that you do it.  I always equate HIPAA to the IRS.  Yes, it’s great to be able to say I spent this much here and this much there, but if the IRS comes out they are going to want proof of it.  It is the same thing with HIPAA when an audit occurs.

Slide: Who enforces HIPAA Compliance?

So, very quickly about who enforces HIPAA.  One, it is enforced through the United States Department of Health and Human Services in the Office for Civil Rights.  In addition to that, along with the HITECH Act, there were also funds that were appropriated to train individuals within each individual state’s Office of the Attorney General or HIPAA enforcement on behalf of the public.  So there are a couple entities that take after enforcing HIPAA.

Slide: Is there an easy way to take the first step?

Introduction:

Over the past couple of years with HITECH and now the HIPAA Omnibus Rule, there are higher restrictions with business associates and their vendors.  I want to spend some time talking a little bit about that today.

Slide: Agenda

First of all let’s lay out a quick agenda.  I want to talk about HIPAA, HITECH, Omnibus, and how it relates to the Business Associate.  Then we’ll give some background about the relationships those healthcare organizations have with healthcare entities and medical practices.  After, we’ll wrap things up by talking about what comes next; what will be the next step for entities, what will be the next step for Business Associates.  Then we’ll have a summary and Q&A section.

Slide: HIPAA, HITECH, and The Business Associate

First of all, let’s talk about this idea of a Business Associate.  In the HIPPA world we have a couple different types of organizations.  Generally, we know the covered entity gets the most HIPAA exposure; but it’s important to understand that a Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.  So, organizations that provide services to position practices, hospitals, insurance companies are considered Business Associates.

Slide: HIPAA, HITECH, and The Business Associate ctd.

The important phrase in that definition is “certain functions or activities”.  First thing is disclosures.   At this point, a disclosure is the release of some patient information to a third party.  There are some Business Associates or vendors of medical providers that have to make disclosures in some cases.   The main term, or general term, is that of services.

I also want to spend some time talking about this idea of reasonable and appropriate safeguards.  Anybody who has worked with Business Associates knows that you have business associate contracts in place. If you’re a covered entity, a provider or insurance company, you have contracts with your vendors; if you’re a vendor you have contracts with your clients.  In those contracts, which are called, Business Associate Agreement or Business Associate Contracts, the names are used synonymously; there is certain language in there that suggests that a Business Associate has to take reasonable and appropriate safeguards.

Slide: Safeguards- Not Just Vague Language

Now I am going to talk about a bit about that language and what that means.  When we talk about this concept of safeguards it specifically mentions in Business Associates contracts about administrative, physical, and technical safeguards.  In my experience working with a lot of companies, those statements are sometimes interpreted as just safeguards.  And what I think Business Associates are learning more and more is that administrative, physical, and technical safeguards are very specific HIPAA requirements and citations.  So, the point I want to drive home here is when you’re engaged with a Business Associate, or if you’re a Business Associate engaged with a client those terms are very specific HIPAA requirements.  When you’re signing a Business Associate Agreement, understand that you’re committing to meeting those requirements.

Slide: Add HITECH/Omnibus to the Mix

A little bit of history on HIPPA.  We know that it came out in 1996 and that from privacy prospective we’ve all had patients sign HIPAA forms, or signed them ourselves as patients.  Well, the HIPAA rules have changed a little bit over the years.  In particular, the first major change that occurred was when the HITECH Act was introduced in 2009.  HITECH was a part of the American Reinvestment Act stimulus package, and it stands for the Health Information Technology for Economic Recovery and Reinvestment Act of 2009.  There were a number of things that were put into that whole stimulus plan.  First was the introduction of what we now call Meaningful Use; in other words, there were incentives available for  providers who had not yet implemented medical records in electronic form to do so.  The second part of that entire measure was around educating the workforce and the providers on electronic medical records and technology within the healthcare industry.  What is really not widely known is that a good portion of that HITECH Act was set aside to redefine and restructure some portion in HIPAA.

Slide: Post-HITECH/Omnibus HIPAA

The second thing that happened over the last four weeks was we were introduced to the HIPAA Consolidated Omnibus.  The consolidated omnibus was a combination of rules that had changed over the years plus the introduction of new requirements that were added, in what I’m calling “HIPAA 2.0”.  We had some minor revisions along the way and now we have our second version of HIPAA.  So let’s now talk about HITECH and omnibus and what changed relative to HIPAA.  First of all, the physicians who are attesting to meaningful use to receive their incentive, there were specific HIPPA requirements built into the whole Meaningful Use standard.  Enforcement changed; there were increases in the maximum level of fines, there were also various entities that were made responsible for enforcing HIPPA violations.  The other thing that changed is HIPAA ignorance is no longer tolerated.  This means that if there is a violation, in the past, it was frequent that an organization would claim they simply didn’t know they had to comply here or have to comply there, and often times they would get a slap on the wrist and be put in a position where they could remedy the situation.  Well that has changed, and at this point if you are ignorant of your responsibilities that puts you in the category of willful neglect.  The other major piece, the core of this presentation, is the fact that Business Associates and Subcontractors now have the same HIPAA responsibilities as the Covered Entities they service.  This one is key because this one says that the Business Associate has to be HIPAA compliant, and so do their vendors.

Slide: The Business Associate Relationship

I am going to lay out the way HIPAA sees the Business Associate relationship.  Covered entities are your providers, your hospitals, your insurance companies, your clearing houses.  Generally, those covered entities have vendors or groups that provide services; these are defined as the Business Associates.  Additionally, those Business Associates may have companies that provide services, and those organizations in the HIPAA world are called subcontractors to the covered entity.  The Business Associate has responsibilities to the covered entity, and the subcontractor has responsibilities to the Business Associate.  There is a fourth type of organization called a conduit; this is an organization like the US Postal Services or UPS.  Ultimately, that conduit has responsibilities to all three of those.  However, the one thing that has changed is that conduits are exempt from HIPAA compliance for a number of reasons.

Slide: Post-HITECH/Omnibus HIPAA

Now we will go into detail about what changed relative to HITECH and Omnibus as it relates to Business Associates.  One, as mentioned before, is that Business Associates and Subcontractors must comply with all HIPAA Security Rules and relative Privacy Rules.  Business Associates and Subcontractors are now liable for any misuse or failure to safeguard protected health information (PHI).  Business Associates and Subcontractors must have a relative Breach Notification Process; Business Associates now have the responsibility to identify, recognize, and report breaches through the chain accordingly.  Business Associates and Subcontractors are required to provide access to a copy of the electronic protected health information (ePHI) to the covered entity when requested.  For example, if you have electronic medical record software and you request an electronic copy of that medical record, the Business Associate is obligated to provide that to you in a type of disclosure.  Lastly, Business Associates and Subcontractors must provide access to PHI in the event of an audit.  This means that if a Business Associate is chosen for a HIPAA audit, they would have to provide access to the records in the same way that a provider would have to give access to the records.

Slide: HIPAA Compliance Responsibility

I am going to further dive into the responsibilities of the organizations.  So, the Covered Entities, the Business Associate, and the Subcontractor all have responsibilities to achieve and maintain HIPAA Compliance.  All Business Associates may not apply or have relevant compliance responsibilities to each area under the administrative simplification.  It may just be security, depending on the rule, and the purpose they serve.  I also note here that the Conduits do in fact not have HIPPA Compliance Responsibilities.

Slide: Business Associate Impact

Let me explain a little bit why the government is putting significant effort in making sure that the BA’s and their vendors are meeting compliance.  These stats were pulled from the Office for Civil Rights Health and Human Services, known as the “wall of shame”; it’s when an organization has a breach of 500 or more individuals who are affected by that breach.  Ultimately, between September 2009 and December 2012, there have been breaches and the number of patients affected by those breaches is 21,516,294.  The numbers that stand out to me are that Business Associates were involved in 21% of those breaches; when you look at the total individuals affected, Business Associates were responsible for 57% of the individuals breached.  What were saying here is that the healthcare organizations whose patients were breached, 57% of those individuals was the fault of one of their vendors.  As you look at the average individuals per breach, when a BA is involved, there is an average of 106,698 individuals involved per breach.  Anybody that has had to deal with a breach knows that it has to be dealt with in terms of cost per individual per breach.

Slide: The Covered Entity’s Perspective

So, let’s look at it from the Covered Entity’s perspective.  So, we may have organizations on this call that are providers or Business Associates.  I am first going to draw out some enforcement activities, specifically, the categories of enforcement that have been laid out.

The worst possible scenario is to commit a breach or have an audit and be in a category of willful neglect where nothing is corrected.  The second willful neglect category is where the violation is corrected.  The third category, which is less severe than the other two, is due to reasonable cause and not willful neglect.  The final category, and the best scenario you could be in if a breach does occur, is by exercising reasonable diligence would not have known.   Understand that, in the event of a breach, or in the event of an audit or investigation, recognize that a fine or penalty is extremely likely, where you fall on this spectrum is directly proportional to the amount of work you’ve done to become compliant and stay compliant.  The purpose of this slide is that with the increasing degree of effort, you decrease your decrease your degree of HIPAA Compliance Risk.

Slide: The Covered Entity’s Relationships with Business Associates

Now, let’s talk specifically about the Business Associate relationship and how that factors in.   I drew the same parallel with the increasing degree of HIPAA Compliance effort by the Covered Entity, Business Associate, and Subcontractor and its relationship to the decreasing degree of HIPAA Compliance Risk to the Covered Entity.

The worst possible scenario that can exist is that you could be doing business with an organization, a Business Associate, and have no BA contract in place.  Obviously, the next best step is to have a BA contract in place.  The next best step, relative to impact of the Covered Entity, is if the Business Associate or Subcontractor has conducted a risk assessment.  The next best step is that the BA or Subcontractor is taking necessary steps to compliance.  The most optimal step is if the BA or Subcontractor   produces proof of HIPAA Compliance.

Now, there’s a couple of questions any myths that float around, and I’ll go over those later, but it’s important to understand that the further you take this HIPAA effort, the decreasing amount of risk you’re presenting to your client.  One of the questions I often ask is is there a see no evil, hear no evil mentality for HIPAA.  In other words, if I don’t do a risk assessment and I don’t uncover anything that’s vulnerable, am I in a worse position than if I were to discover it and uncover it.  The answer is yes.  If you elect not to perform a risk assessment or to take yourself down the path of business and healthcare and you haven’t done, at the minimum a BA contract or risk assessment, you’re in this situation of willful neglect.  In other words, the government or auditor would rather see you do something and perhaps not achieve 100% compliance, but do something on that path as opposed to doing nothing.  And of course, as you can imagine, the level of fines and enforcement are relative as you cross the spectrum.

Slide: Common Questions

So I said I’d go over some common myths and questions.  First, is the Covered Entity responsible for their Business Associate’s or Subcontractor’s HIPAA Compliance, or vice versa?  And the answer to that is no.

Second, is the Covered Entity responsible for engaging in relationships with HIPAA Compliant Business Associates and Subcontractors?  And the answer to that is absolutely.  The Covered Entity has a responsibility of diligence that they have to execute in making sure that they’re doing business with those who will protect their information.

The last question I’m commonly asked is if the Business Associate or Subcontractor claims HIPAA Compliance, does this imply that the Covered Entity is HIPAA Compliant?  And the answer to that is no.  This is very common, and I’ll give you a great example of where I see this.  When a practice or a provider implements and electronic medical records software and that EMR software developer produces a HIPAA Compliant statement, many organizations believe that because they have that in hand that they have filled their HIPAA Responsibilities.  When, in actuality, that’s not the case.  The practice, provider, health system insurance company has to do their own HIPAA Compliance measures.

Slide: HIPAA Compliance of Business Associates and Subcontractors

As I see it, in the HIPAA world, when you’re working with a Business Associate you have two types of compliance that should be measured.  The first is solution compliance.  For example, I’m going to use the idea of an electronic medical record solution.  The solution means that the EMR is HIPAA compliant and is hosted in a HIPAA compliant Facility.  In other words, the development of that application includes all the measures to control items such as having everyone use their I.D., having audit trails within the EMR, and other factors.

However, on the institutional compliance side I’m looking for that EMR Company and Hosting Company to have gone through an exercise to make sure that they have all the correct policies and procedures in place, to make sure their employees have been trained, to make sure they have a disaster recovery plan in the event that wherever their EMR is hosted was essentially taken care of in the event of a disaster.  So I’m looking at it from two perspectives, and it’s important that as you deal with your Business Associates, you look at it as well.  Another example would be a basic shredding company.  For example, I know that now a days that a lot of shredding companies will actually drive a truck to your office where they shred it on site.  So in other words, they’re showing you a HIPAA compliance solution.  However, my question to them is have your employees been trained? Do you have policies around sanctioning employees if they happen to commit a HIPAA violation?  So there are two areas to make sure are reviewed in this process.

Slide: A Healthcare Scenario

I also mentioned earlier that I would lay out a scenario of a basic single doctor healthcare practice and show you the complexities that exist.  You’re looking at a diagram that shows a physicians practice in the left corner.  That physician practice may use an electronic medical record that is hosted in the cloud.  That cloud has a disaster recovery site and is also connected with the medical record company.   That practice may also use an It Services company that works with their local work stations and servers, a document destruction company to do their shredding, they may also interface with the lab and the insurance company.  So when you start laying out this scenario, and you look at where the PHI is located, what you find is that PHI owned by the doctor is in a lot of different places.  Therefore, when you start looking at who has HIPAA Responsibility, everybody who has physical or technical visibility to that patient information is responsible for HIPAA Compliance.

Slide: What constitutes compliance?

The other important thing is to recognize what constitutes compliance.  For example, I always look at it in a three pronged approach.  When you look at things you have within your business; you have antivirus software, everyone has a login I.D., you do backup and recovery.  You have the technical capabilities to do this which I lumped in this whole category called safeguards.  To the left of that is policy; you have to have policy and procedures surrounding each one of those.  In other words, how often do you backup?  Who does it?  How is it done, how is it recovered?  The third, and most important, is to be able to prove that.  It’s great in practice to say “I do ABC”, but it’s something different in an audit situation when you have to prove that you do it.  I always equate HIPAA to the IRS.  Yes, it’s great to be able to say I spent this much here and this much there, but if the IRS comes out they are going to want proof of it.  It is the same thing with HIPAA when an audit occurs.

Slide: Who enforces HIPAA Compliance?

So, very quickly about who enforces HIPAA.  One, it is enforced through the United States Department of Health and Human Services in the Office for Civil Rights.  In addition to that, along with the HITECH Act, there were also funds that were appropriated to train individuals within each individual state’s Office of the Attorney General or HIPAA enforcement on behalf of the public.  So there are a couple entities that take after enforcing HIPAA.

Slide: Is there an easy way to take the first step?

So the question now is if there is an easy way to take the first step?  Well, one, I want to reiterate that you should treat HIPAA compliance with the same degree of diligence and urgency as accounting, taxes, and the IRS.  Start with a simple checklist, particularly if you are a Business Associate, of areas that need to be addressed.  For example, with our organization we have a specific services working with Business Associates to help understand their requirements, help understand where their HIPAA vulnerabilities exist, and then help them through that process; in other words, we perform a risk assessment.

So the question now is if there is an easy way to take the first step?  Well, one, I want to reiterate that you should treat HIPAA compliance with the same degree of diligence and urgency as accounting, taxes, and the IRS.  Start with a simple checklist, particularly if you are a Business Associate, of areas that need to be addressed.  For example, with our organization we have a specific services working with Business Associates to help understand their requirements, help understand where their HIPAA vulnerabilities exist, and then help them through that process; in other words, we perform a risk assessment.

To view the presentation, click the link below:

http://www.slideshare.net/HealthCareManagement/business-associate-hipaa-compliance-impact-on-the-business-associate-and-covered-entities