HIPAA Compliance
In 2013, the final Omnibus Rule becomes effective on March 26, 2013, requires Covered Entities (CEs) and Business Associates (BAs) of all sizes to follow HIPAA compliance with most of the HIPAA rule’s provisions, including the modifications to the Breach Notification Rule and the changes to the HIPAA Privacy Rule.
These days most healthcare providers and health plans do not carry out all of their healthcare activities and functions by themselves. Instead, they often use the services of a variety of other individuals or businesses. Health & Human Services (HHS) defines this type of service provider as a BA, as defined in 45 CFR 160.103.
CEs and BAs, in accordance with § 164.306, must ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) the CE or BA create, receive, maintain, or transmit on the CE’s behalf only if the CE obtains satisfactory assurances, in accordance with § 164.314(a) that the BA will appropriately safeguard the information.
Every CE must document that their BAs are HIPAA compliant, this requirement includes documentation of their workforce training, and they have HIPAA compliant security policies in place and that they there is an incident reporting procedure in place between your practice and the BA.
And don’t forget to document your findings – If it’s not documented, it didn’t happen!
Who Has to Comply?
Covered Entities:
Any healthcare provider, health plan, or healthcare clearinghouse that transmits any information in an electronic form in connection with transactions for which HHS has adopted a standard. For example, hospitals, academic medical centers, physicians, pharmacies, and other healthcare providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. CEs can be institutions, organizations, or individuals.
Business Associates:
A BA is a person or entity including subcontractors, other than a member of the workforce of a CE, who performs functions or activities that involve access by the BA to PHI. BAs are also subcontractor that creates, receives, maintains, or transmits protected health information (PHI) on behalf of another BA.
Subcontractors:
An entity to which a BA delegates a function, activity, or service, other than as a member of the BAs workforce.
There is no limit to the number of subcontractors that may be liable, because a subcontractor might delegate functions to other subcontractors, creating a chain of BA entities.
Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.
Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?
For tips like this and more request your copy of “HIPAA Security Rule – Know The Rules!” Newsletter Today AND to learn more about our FREE monthly webinar.
Episode 37: Know The Rules! What are HIPAA Security Standards Anyway? | HIPAA alli
[…] threats, hackers, and other preventable losses of information are just a few of the hazards facing Covered Entities (CEs) and Business Associates (BAs) that create, receive, maintain, and transmit electronic […]
Episode : Know The Rules! Why Security is Important in Healthcare? | HIPAA alli
[…] Privacy Rule also requires Covered Entities (CEs), and in certain circumstances their Business Associates (BAs), to have in place appropriate […]
Keep Donation Scams Out of Healthcare | HIPAA alli
[…] combat the threat from this type of scam, HIPAA Covered Entities (CEs) and Business Associates (BAs) should consider training staff on the following […]
Ep. 34: Know The Rules! Who is Your HIPAA Security Officer AND What Do They Do? | HIPAA alli
[…] Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that Covered Entities (CEs) and Business Associates (BAs) designate a specific individual who’s responsible for […]
Episode 35: Know The Rules! 6 Step Approach to Implementing Your Security Management Process | HIPAA alli
[…] to your security measures. Under the HIPAA Security Rule, the frequency of reviews will vary among Covered Entities (CEs) and Business Associates (BAs). Some CEs may perform these reviews annually or as needed […]
Episode 12: Know The Rules! Termination Procedures | HIPAA alli
[…] a workforce member leaves, it is extremely important Covered Entities (CEs) and Business Associates (BAs) of all sizes prevent unauthorized access to PHI by ensuring […]
Episode 10: Know The Rules! Protected Health Information | HIPAA alli
[…] or payment for healthcare that is created or collected by healthcare organizations, referred to as Covered Entities (CEs) (or a Business Associates (BAs)), and can be linked to a specific individual. This is […]
Episode 1: Know The Rules! Healthcare Business Associates | HIPAA alli
[…] HIPAA Privacy, Security, and Breach Notification Rules apply to both Covered Entities (CEs) and their Business Associates […]
What's a Security Incident? When is it a Breach? | HIPAA alli
[…] Covered Entities (CEs) and their Business Associates (BAs) are expected to provide security controls that ensure the confidentiality, integrity, and availability (CIA) of protected health information (PHI). However, having robust and fairly resilient systems will not eliminate the possibility that a cybersecurity incident could occur in your organization. […]
Business Associates - HIPAA Security Rule Applies To YOU Too! | HIPAA alli
[…] HIPAA Security Rule requires Covered Entities (CEs) and Business Associates (BAs) to “implement a security awareness and training program for […]
Business Associate Agreement (BAA) | HIPAA alli
[…] that involve the use or disclosure of Protected Health Information (PHI) to provide services for a Covered Entity (CE). CE’s are required to identify who their BA’s are and confirm there is a current Business […]
Mobile Health Application | HIPAA alli
[…] and the data is requested by the wearer it is not protected by HIPAA. However, if a healthcare covered entity requests a patient to wear one, collects its data, then the data is protected by […]
Episode 41: Know The Rules! Mobile Devices Used in Healthcare | HIPAA alli
[…] Covered Entities (CEs) and Business Associates (BAs), who use these devices to create, receive, maintain, or transmit electronic protected health information (ePHI) and must include them in their enterprise-wide risk analysis and take action(s) to reduce risks identified to a reasonable and appropriate level, 45 C.F.R. § 164.308(a)(1)(ii)(A)–(B). […]
Stop Offshoring Medical Records | HIPAA alli
[…] identifiable health information” held or transmitted by your provider (identified as a Covered Entity and/or their Business Associates), in any form or medium, whether electronic, on paper, or […]
Episode 41: Know The Rules! Business Associate Agreement | HIPAA alli
[…] HIPAA Privacy, Security, and Breach Notification Rule require Covered Entities and Business Associates (BAs) to obtain a signed Business Associate Agreement (BAA) from each BA, […]
HIPAA Security Awareness and Training | HIPAA alli
[…] Covered Entities (CEs) and Business Associates (BAs) are required to secure the electronic protected health information (ePHI) against internal and external security risks and vulnerabilities. That is why the next standard, HIPAA Security Awareness and Training, § 164.308(a)(5), is so important. […]
2018 Wall of Shame Business Associate Breaches | HIPAA alli
[…] Covered Entities (CEs) are not alone when it comes to experiencing a healthcare breach. […]
Keep Your Protected Health Information Secure | HIPAA alli
[…] dentist office for a new patient consultation and to interview them before selecting them as my Covered Entity (CE). After examining the waiting room and completing the necessary paperwork, I was called into […]
Episode XX: Know The Rules! Workforce Security | HIPAA alli
[…] Workforce Security section of the Administrative Safeguards, states that Covered Entities (CEs) and Business Associates (BAs) […]
Assigned Security Responsibility | HIPAA alli
[…] standard requires that Covered Entities (CEs) or Business Associates […]
Information Access Management | HIPAA alli
[…] fourth standard in the Administrative Safeguards section is Information Access Management. Covered Entities (CEs) and their Business Associates (BAs) are required […]
Business Associates - Are YOU Prepared for a Security Incident? | HIPAA alli
[…] Covered Entities (CEs) believe its impossible to determine whether the data safeguards, security policies and […]
Are YOU Prepared for a Security Incident? | HIPAA alli
[…] Covered Entities (CEs) believe its impossible to determine whether the policies and procedures of their Business Associates (BAs) are adequate to respond effectively to a security incident. […]
Episode 54: Know The Rules! Evaluation | HIPAA alli
[…] is important for Covered Entities (CEs) and Business Associates (BAs) to know if their security plans and procedures continue to […]
Episode 29: Know The Rules! Medical Records Snooping | HIPAA alli
[…] HIPAA Security Rule 45 CFR §164.312(b) requires Covered Entities (CEs) and Business Associates (BAs) to “Implement hardware, software, and/or procedural […]
Episode 4: Know The Rules! Risk Analysis Required | HIPAA alli
[…] Covered Entities and Business Associates need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure. […]
Episode 55: Know The Rules! Anti-Kickback Statute | HIPAA alli
[…] I am presenting a case study of what happens when a Covered Entity (CE) and a pharmaceutical company collude to violate the Federal Anti-Kickback Statute and the […]
Episode 57: Know The Rules! Audit Controls | HIPAA alli
[…] HIPAA Security Rule provision on Audit Controls (45 C.F.R. § 164.312(b)) requires Covered Entities (CEs) and Business Associates (BAs) to apply hardware, software, and/or procedural mechanisms that […]
Episode 59: Know The Rules! Phishing | HIPAA alli
[…] this week’s “Know The Rules!,” I present different methods Covered Entities (CEs) and Business Associates (BAs) can use to detect and avoid phishing […]
Episode 61: Know The Rules! Device and Media Controls - Part 1 | HIPAA alli
[…] Device and Media Controls standard requires Covered Entities (CEs) and their Business Associates (BAs) […]
Episode 62: Know The Rules! Device and Media Controls - Part 2 | HIPAA alli
[…] Device and Media Controls standard requires Covered Entities (CEs) and their Business Associates (BAs) […]
Episode 56: Know The Knows! Notice of Privacy Practices | HIPAA alli
[…] you see a provider (known as a Covered Entity), check in to a hospital, have a new prescription filled by a pharmacy, or change health insurance […]
Episode 67: Know The Rules! Security Incident | HIPAA alli
[…] Covered Entities (CEs) believe it’s impossible to determine whether the policies and procedures of their Business Associates (BAs) are adequate to respond effectively to a security incident. […]
Episode 69: Know The Rules! Business Associates Were Invited to the HIPAA Party! | HIPAA alli Episode 69: Know The Rules! Business Associates Were Invited to the HIPAA Party!
[…] in September 2013. Even after two decades, HIPAA compliance still remains a challenge for many Covered Entities (CEs) and their BAs […]
Ep. 72: Know The Rules! What Happens When Your Workforce Snoops | HIPAA alli
[…] HIPAA Security Rule requires Covered Entities (CEs) and Business Associates (BAs) to implement safeguards to record and examine activity on […]
Ep. 73: Know The Rules! Business Associate Agreement Management | HIPAA alli
[…] you’re new to healthcare, you know Covered Entities (CEs) are required to obtain a Business Associate Agreement (BAA) with each Business Associate (BA) […]
Ep. 81: Know The Rules! No Comment - That's What He Should Have Said | HIPAA alli
[…] egregious disclosures can lead to substantial penalties, Covered Entities need to pay close attention to HIPAA’s privacy rules, especially when responding to press […]