By Jack Anderson
September 12, 2013
If you create, receive, maintain, or transmit PHI on behalf of a covered entity you are a business associate under the HIPAA HITECH Omnibus Rule. This covers a wide range of organizations in the healthcare world, from lawyers, accountants, billing companies,insurance companies, transcription companies, sofware companies, hosting companies, and on and on. Also covered are the sub-contractors of these companies who are now classified as business associates and need to have a business associate agreement with their business associate partner.
HHS has estimated that there are 1.5 million BAs and another 1 million sub-contractors, the vast majority of which are non-compliant. Having been through this type of regulatory shift before we have always felt that folks needed to go through the five stages of grief; denial, anger, negotiation, fear and finally acceptance. We now add a precursor stage of ignorance. Many companies simply do not know that they are a BA or Sub. Here is a little compliance checklist we developed:
HIPAA Compliant Checklist
- Have you formally designated a person or position as your organization’s privacy and security officer?
2.Do you have documented privacy and information security policies and procedures?
3.Have they been reviewed and updated, where appropriate, in the last six months?
4.Have the privacy and information security policies and procedures been communicated to all personnel, and made available for them to review at any time?
5.Do you provide regular training and ongoing awareness communications for information security and privacy for all your workers?
6.Have you done a formal information security risk assessment in the last 12 months?
- Do you regularly make backups of business information, and have documented disaster recovery and business continuity plans?
8.Do you require all types of sensitive information, including personal information and health information, to be encrypted when it is sent through public networks and when it is stored on mobile computers and mobile storage devices?
9.Do you require information, in all forms, to be disposed of using secure methods?
10.Do you have a documented breach response and notification plan, and a team to support the plan?
If you answered no to any of these questions you have gaps in your security fence.
If you answered no to more than three you don’t have a security fence.
**We also have a more extensive survey or 33 questions that can help you identify the specific areas that need to be remediated. If woul like to take the survey send me an email at jack@compliancehelper.com **