WHAT QUESTIONS SHOULD I ASK OF MY CURRENT IT SERVICE PROVIDER?
Have you performed a Privacy & Security Rule Risk Assessment recently to ensure you are HIPAA compliant?
Have you confirmed your compliance with all 54 HIPAA citations and 136 components?
Do you have updated Business Associate Agreements with all of your partners, vendors, and subcontractors?
What policies and procedures have you put in place to handle the use and disclosure of PHI?
What methods of data storage, on- or off-site backup, and email archiving do you utilize? Are they encrypted and HIPAA compliant?
Have you implemented a training program for your employees?
Do you have systems in place to ensure ongoing HIPAA compliance?
WHAT CHANGES HAVE BEEN MADE TO HIPAA?
On September 23rd, 2013 the Omnibus Rule went into effect. The Omnibus Rule amends HIPAA’s (the Health Insurance Portability and Accountability Act of 1996) Privacy and Security Rules, which now apply not only to Covered Entities (CEs) like health-care providers BUT ALSO to third-party Business Associates (BAs) like IT vendors, attorneys, accountants, and others who come in contact with Protected Health Information (PHI).
These enhancements were first suggested in the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, which was part of the American Recovery and Reinvestment Act. More commonly known as the “stimulus,” ARRA made federal funds available to speed up the adoption of Electronic Health and Medical Records (EHR and EMR).
The bulk of the changes center on how PHI is handled, how new Business Associate Agreements (BAAs) are implemented, how data breaches are reported, and what penalties can be applied in the case of a breach.
WHAT ARE THE RAMIFICATIONS OF THESE RULES?
If your business or medical practice accepted stimulus funds for EHR/EMR, be prepared for a potential audit by the Department of Health and Human Services’ (HHS) Office of Civil Rights.
If you know that a Business Associate or Covered Entity are not HIPAA compliant, you’re responsible for reporting them.
Data breaches affecting under 500 people must be reported annually to HHS yearly; data breaches affecting over 500 people must be reported immediately to HHS and the media.
Failure to properly report data breaches or non-compliance can result in fines of between $1,000 and $1.5 million, along with publicly accessible listings on HHS’ “HIPAA Wall of Shame.”
WHAT DOES CMIT OFFER?
Updated Privacy and Security Risk Assessments
HIPAA-compliant Business Associate Agreements
Policies and procedures to handle the use and disclosure of PHI
Detailed employee training programs
Ongoing compliance management and administration infrastructure
Receive a FREE Checklist for HIPAA Compliance Readiness and an expanded list of Questions to Ask of Your Current IT Service Provider.
In addition you will also get the White Paper: Understanding HIPAA Privacy and Security