Gearing Up for HIPAA Compliance Audits in IT, Part 2: Business Associates

Business associates are liable under HIPAA Security RuleIf you’re responsible for health IT at a HIPAA-covered entity, you’re probably thinking more seriously about the reality of HIPAA compliance audits, which are getting underway this year. As I discussed in my first post on HIPAA audits a couple weeks ago, the passage of the HITECH Act in 2009 raised the bar on security for protected health information (PHI) and electronic PHI under HIPAA – for both covered entities and what are known as “business associates.”

I’m sure you’re already quite familiar with the term “business associate” and what types of vendors fall into this category (service providers, vendors and third parties that support covered entities). Graphic Enterprises is a dealer of Konica Minolta copiers, printers and document management systems for organizations in Northeast Ohio and Western Pennsylvania; as such, we come under scrutiny because ePHI often passes through our equipment and systems. And we’re just one type of business associate you need to consider. I’m sure you’ve got third-party health plan administrators, CPAs and attorneys, consultants, transcriptionists, pharmacy benefits managers and others in your sights.

So, in the midst of all this headache, what’s the upside for you? It may be a great opportunity for you to get the security upgrades and controls you’ve been requesting for years.

Before HITECH, all the privacy and security requirements between covered entities and business associates were handled via contractual agreements. Historically, the major problem with those agreements was that things were kind of “loosey goosey,” with few standards and criteria to aim for. Now, the responsibilities of a business associate are more defined, as are the liabilities:

  • Security breach notification requirements
  • Cure, terminate or snitch obligations
  • PHI disclosure accounting

We recognize our obligations to provide detailed information about how our products, systems and services meet the requirements of the HIPAA Security Rule. As the one in charge of IT for a covered entity, you have a right and a duty to ask for it. And, in the process, we hope you are given the chance to make your internal health IT systems better than ever!

If you’re part of a HIPAA-covered entity, what kinds of safeguards and security controls are you requiring business associates to document? And, how can a business associate like Graphic Enterprises make audit compliance easier for you?