This guest blog was contributed by Nancy Hammervik.
If you’re a health care provider, you know about HIPAA. Even if you’re not, you’re probably aware of the form you sign at the doctor’s office informing you of your privacy rights. But this year – as of Sept. 23 – companies that support health care providers and others that come in contact with protected health information are now considered “business associates” that must comply with HIPAA. This means many companies working with health care businesses of all stripes need to get in line with the law. So below we outline the steps solution providers need to take to ensure compliance and share what you need to know now.
Who qualifies as a business associate?
Business associates can include cloud providers, shredding companies, printers, data centers, copy vendors and IT servicing companies. If protected health information passes through your organization at any time – even if the data is encrypted – you must implement full compliance programs, conduct a HIPAA risk analysis, train your workforce, and perform and document HIPAA-compliant tasks.
Step one: business associate agreements
If you determine that you need to take action, what’s the first step? “The main thing to do is to make sure your cloud, data center and backup vendors not only sign business associate agreements, but really are complying with HIPAA,” said Mike Semel, president and chief compliance officer at Semel Consulting, which specializes in certified HIPAA compliance.
The business associate agreement is a contract between a covered entity and a service provider that must contain specific language. Agreements should also exist between business associates and subcontractors such as original equipment manufacturers (OEMs) and service providers. Samples of business associate agreements can be found on the U.S. Department of Health and Human Services website. Either party can provide the contract. Existing agreements must be replaced with those that contain updated language by Sept. 22, 2014. These contracts should include additional language such as the rights to audit, demand proof of compliance and report breaches in time to meet federal and state guidelines.
Step two: conducting a HIPAA risk analysis
A HIPAA risk analysis is required for every HIPAA covered entity and business associate. “It is the first issue listed in almost every enforcement action,” Semel said. “You must identify all the locations of protected health information and how it enters and leaves your organizations. You must identify the vulnerabilities to the security of the data and the threats that could act on the vulnerabilities.” After tracking how data flows through your organization, it’s time to calculate the risk. Although you could tackle this yourself, the U.S. Department of Health and Human Services suggests hiring an experienced professional to develop a risk analysis that will sustain scrutiny.
Step three: learning how to comply
Once you’ve determined that compliance is necessary and you’ve conducted your risk analysis, it’s time to implement and execute compliance steps. According to Semel, a compliance program includes written documents like HIPAA-specific policies and procedures, the HIPAA risk analysis, evidence that the workforce has been trained, and documentation showing you are delivering HIPAA-compliant services.
To illustrate what compliance looks like, let’s dissect a simple service like a hard-drive replacement. Pre-HIPAA compliance, the technician would simply remove the hard drive and either dispose of it or return it to the manufacturer for a core credit or warranty. In order to make this service HIPAA-compliant, we need to add a few more steps. First, the technician would need to follow a compliance checklist, which would likely include erasing the old drive at the client site and saving the erasure report to ticket. When removing the old drive, the tech would need to track and transport it before destroying it. Proof of compliance comes in by documenting the damaged drive, saving a photo of the drive to ticket, and then disposing of it. Finally, the technician would send a report to the client’s compliance officer. This takes extra time and effort. Semel said solution providers should schedule additional time to deliver compliant services and can charge more for compliance services than basic technical services.
Step four: training your staff
Essentially everybody on your team should be aware of HIPAA. This doesn’t mean they have to be experts. “Some employees don’t need to be HIPAA experts, but they must know what they should and shouldn’t do,” Semel said. For example, technicians and engineers should know how to follow the compliance service checklist and provide detailed documentation, while a service coordinator should know enough about the process to schedule enough time to get the job done. Semel says that management and sales roles have the opportunity to get certified and become more knowledgeable, which can translate into new business or even the chance to sell training.
Step five: document, document, document
Detailed documentation at the time of service is the key. Semel recounts a time when he asked his techs and engineers what they thought he was paying them for, and they responded with the usual suspects: setting networks, fixing problems, etc. “I said, ‘No. That may be why you come to work, but I am paying you to document all of those things so we get paid and are compliant with regulations.’” The ability to add documents and photos to a ticket within a system is valuable. If you find yourself in the midst of an investigation, the more details you have, the better. “Your worst day will not be a data breach, but the day that you can’t provide documentation that you really did do the right things to comply with HIPAA,” Semel said.
Nancy Hammervik is senior vice president of industry relations at CompTIA. She is a graduate of the University of Delaware, where she received a bachelor’s degree in marketing. She is a finalist for a prestigious Stevie Award for Women in Business.
Posted on 09/30/2013