Gearing Up for HIPAA Compliance Audits in IT, Part 2: Business Associates

Business associates are liable under HIPAA Security RuleIf you’re responsible for health IT at a HIPAA-covered entity, you’re probably thinking more seriously about the reality of HIPAA compliance audits, which are getting underway this year. As I discussed in my first post on HIPAA audits a couple weeks ago, the passage of the HITECH Act in 2009 raised the bar on security for protected health information (PHI) and electronic PHI under HIPAA – for both covered entities and what are known as “business associates.”

I’m sure you’re already quite familiar with the term “business associate” and what types of vendors fall into this category (service providers, vendors and third parties that support covered entities). Graphic Enterprises is a dealer of Konica Minolta copiers, printers and document management systems for organizations in Northeast Ohio and Western Pennsylvania; as such, we come under scrutiny because ePHI often passes through our equipment and systems. And we’re just one type of business associate you need to consider. I’m sure you’ve got third-party health plan administrators, CPAs and attorneys, consultants, transcriptionists, pharmacy benefits managers and others in your sights.

So, in the midst of all this headache, what’s the upside for you? It may be a great opportunity for you to get the security upgrades and controls you’ve been requesting for years.

Before HITECH, all the privacy and security requirements between covered entities and business associates were handled via contractual agreements. Historically, the major problem with those agreements was that things were kind of “loosey goosey,” with few standards and criteria to aim for. Now, the responsibilities of a business associate are more defined, as are the liabilities:

  • Security breach notification requirements
  • Cure, terminate or snitch obligations
  • PHI disclosure accounting

We recognize our obligations to provide detailed information about how our products, systems and services meet the requirements of the HIPAA Security Rule. As the one in charge of IT for a covered entity, you have a right and a duty to ask for it. And, in the process, we hope you are given the chance to make your internal health IT systems better than ever!

If you’re part of a HIPAA-covered entity, what kinds of safeguards and security controls are you requiring business associates to document? And, how can a business associate like Graphic Enterprises make audit compliance easier for you?

Doug Lane

The North Canton Chamber loves the Biz Hub! This is our second unit and we keep it busy printing the monthly newsletter, statements, flyers and as-needed stationary. The superb quality of both color and black and white copies, ease of operation and reliability make it one of our favorite office machines.

Doug Lane, President
North Canton Area Chamber of Commerce

Gearing Up for HIPAA Compliance Audits in IT, Part 1

Surviving a HIPAA Compliance AuditWhen the Federal Health Insurance Portability and Accountability Act – affectionately known as HIPAA – was passed in 1996, no one was seriously thinking about how things like the Internet, electronic health records (EHRs), cloud computing and smartphones would affect personal health information (PHI). Fast forward 13 years to 2009, when the Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act. Suddenly, there was an intersection between EHR adoption, government incentives and the safety and security of electronic PHI. Thanks to HIPAA, HITECH and other factors too numerous to list here, the delivery of health care services in the United States is changing rapidly and forever.

This year, the U.S. Department of Health & Human Services (HHS), via its Office for Civil Rights (OCR), launches the first HIPAA compliance audits ever conducted. (It only took them 16 years!) The OCR is planning audits of 150 HIPAA-covered entities in 2012, including hospitals, physician and dental offices, labs, nursing homes and pharmacies. Security compliance will be a major part of the audit, and, in today’s world, that rests heavily on IT folks.

I recently read an article that describes information security as the Achilles heel of PHI. Unsecured storage devices, portable devices and the concept of BYOD (bring your own device) make data loss via theft or computer failure a very real issue – and a headache for any health care IT department. Plus, under HITECH, liability for a PHI breach is extended to business associates (i.e. third-party vendors, suppliers, consultants, contractors, etc.). So, if you’re in IT, you have to think about systems security with any business associate you work with.

I know Graphic Enterprises will be considered a business associate by many of our health care customers in Ohio and Pennsylvania who use the copiers, printers and document management systems we provide. In many cases,  our equipment and software play a critical role in both HIPAA and HITECH issues and objectives.

If you’re reading this, chances are good that you’re not among the first 150 entities that are being audited this year. But, you can be sure you’ll eventually be under the microscope.

So, in this series of blog posts about HIPAA compliance audits, I want to help you get ready by discussing some of the IT security issues that face the health care industry and how you can minimize your risk – particularly with business associates and the use of copiers, printers, multi-function printers and document management systems.