PHI Compliance Requirements Webinar Questions/Answers – Part 2
On July 30, 2014 we hosted a webinar event with national HIPAA expert, Edward Jones, and sponsored by DataMotion. The event attracted almost 800 registrants so naturally there were a ton of questions. We decided to share the Q&A with our entire audience in a four-part series. You can follow Ed on Twitter @HIPAAsafeguards.
Read Webinar Questions/Answers – Part 1
1. What do you see as the biggest challenges to compliance and how do we overcome them?
Answer: Covered entities have not conducted risk analysis, implemented policies and procedures, and trained effectively their workforce members on safeguards. I spent a year developing the requisite information to help CEs and BAs affordably achieve compliance—in plain language, guidance, and references—because we found empirically that most CEs and BAs that we visited either did not know how to initiate the process or could not do so affordably. In addition, most CEs and BAs have not provided for backup electricity supply, which is crucial to be able to readily access ePHI. Finally, look at compliance as a tool for ensuring the sustainability of your business. There is another important issue that you need to be aware of with regard to an investigation resulting from a compliance audit or complaint or breach. The HIPAA Privacy Rule required compliance in April 2003 (over 11 years ago) and the HIPAA Security Rule in April 2005 (over nine years ago). The Documentation standard requires maintaining a risk analysis, safeguard policies and procedures, and evidence of safeguard training in writing (which can be electronic) for six years from the last action. An investigation will want to see archived and current information. Look at the tiered penalties on page 36 of the Webinar .PPTX. If your covered entity has been in business for years and you cannot provide evidence of compliance, you may be subject to a penalty at the bottom of the tier. The solution is to get compliant as soon as possible as OCR’s enforcement objective is to facilitate security of ePHI, not to punish. If you are making the effort, and are subject to an investigation, you will be better off than not. Check the Webinar language re Resolution Agreements and Corrective Action Plans on pages 37-41 of the .PPTX.
2. What are ways that CEs should use to assure that their BAs are being compliant to HIPAA?
Answer: The business associate agreement outlines the requirements and responsibilities under the HIPAA Security Rule, relevant HIPAA Privacy Rule provisions specified by the covered entity (based on functions assigned by the covered entity to the business associate contractor), and requirements under the HITECH Act Breach Notification Rule. Using President Reagan’s rule “Trust, but verify,” it is up to the covered entity to determine compliance of its business associate, just as a business associate contractor is responsible to make the same determination of its business associate subcontractor. Of most importance: ask in a letter if all business associate personnel with access to the covered entity’s PHI have been trained on the BA’s policies and procedures, and if all implementation specifications of the HIPAA Security Rule have been implemented and documented. Also, make sure that the BA is aware of the breach notification reporting requirements—most importantly, informing the covered entity of a breach that occurs on the BA’s watch, including downstream with BA subcontractors.
3. What specifically has changed in the act that would affect office staff in daily procedures?
Answer: With respect to safeguards, the provisions of the HIPAA Security Rule were extended to business associates and certain privacy provisions were changed with respect to use, disclosure, and accessibility. By no later than September 23, 2014, business associate contracts have to include the modifications of the January 25, 2013, Final Rule. In addition, a risk analysis has to be reviewed as regulatory changes associated with the Final Rule require reevaluation. Finally, all workforce members must be retrained on the Final Rule modifications. Note: it is expected that the compliance audits that will begin in the fourth quarter of 2014, and in any investigation of a complaint or breach that would be initiated under current in force OCR policies and procedures, will focus on evidence that a risk analysis has been conducted or reviewed and updated to reflect the January 25, 2013, HITECH Act modifications, as applicable, and that all workforce members will have been retrained on those modifications. Also, for covered entities or business associates that have been in business for years, but have not invested in becoming compliant with the HIPAA Privacy and Security Rules, you may be subject to higher penalties near the bottom of the penalty tiers (see p.36 of the Webinar .PPTX) for willful neglect. Those penalties could be lessened or mitigated if a covered entity or business associate can provide evidence of becoming compliant now as OCR’s interest is achieving widespread protection of protected health information and minimizing breaches, not penalizing organizations.
Ed Jones is an author, and owner and CEO of Cornichon Healthcare Select, LLC, which provides consulting services pertaining to HIPAA/HITECH Act privacy and security compliance, and design of mobile strategies for healthcare transactions. At Cornichon’s Website, at www.HIPAASafeguard.net, Ed offers online privacy and security safeguard guidance and reference tools and policies and procedures for achieving compliance with HIPAA Privacy, Security, and Breach Notification Final Rule and Stage 1 and 2 Meaningful Use Security Measure compliance.