HIPAA Compliance

Episode 9: Know The Rules! HIPAA Compliance – Who Has To Comply?


HIPAA Compliance

In 2013, the final Omnibus Rule becomes effective on March 26, 2013, requires Covered Entities (CEs) and Business Associates (BAs) of all sizes to follow HIPAA compliance with most of the HIPAA rule’s provisions, including the modifications to the Breach Notification Rule and the changes to the HIPAA Privacy Rule.

These days most healthcare providers and health plans do not carry out all of their healthcare activities and functions by themselves. Instead, they often use the services of a variety of other individuals or businesses. Health & Human Services (HHS) defines this type of service provider as a BA, as defined in 45 CFR 160.103.

CEs and BAs, in accordance with § 164.306, must ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) the CE or BA create, receive, maintain, or transmit on the CE’s behalf only if the CE obtains satisfactory assurances, in accordance with § 164.314(a) that the BA will appropriately safeguard the information.

Every CE must document that their BAs are HIPAA compliant, this requirement includes documentation of their workforce training, and they have HIPAA compliant security policies in place and that they there is an incident reporting procedure in place between your practice and the BA.

Documentation

 

 

And don’t forget to document your findings – If it’s not documented, it didn’t happen!

 

Who Has to Comply?

Covered Entities:

Any healthcare provider, health plan, or healthcare clearinghouse that transmits any information in an electronic form in connection with transactions for which HHS has adopted a standard. For example, hospitals, academic medical centers, physicians, pharmacies, and other healthcare providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. CEs can be institutions, organizations, or individuals.

Business Associates:

A BA is a person or entity including subcontractors, other than a member of the workforce of a CE, who performs functions or activities that involve access by the BA to PHI. BAs are also subcontractor that creates, receives, maintains, or transmits protected health information (PHI) on behalf of another BA.

Subcontractors:

An entity to which a BA delegates a function, activity, or service, other than as a member of the BAs workforce.

There is no limit to the number of subcontractors that may be liable, because a subcontractor might delegate functions to other subcontractors, creating a chain of BA entities.

Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?

Newsletter

For tips like this and more request your copy of “HIPAA Security Rule – Know The Rules!” Newsletter Today AND to learn more about our FREE monthly webinar.

37 thoughts on “Episode 9: Know The Rules! HIPAA Compliance – Who Has To Comply?

  1. […] threats, hackers, and other preventable losses of information are just a few of the hazards facing Covered Entities (CEs) and Business Associates (BAs) that create, receive, maintain, and transmit electronic […]

  2. […] Privacy Rule also requires Covered Entities (CEs), and in certain circumstances their Business Associates (BAs), to have in place appropriate […]

  3. […] combat the threat from this type of scam, HIPAA Covered Entities (CEs) and Business Associates (BAs) should consider training staff on the following […]

  4. […] Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that Covered Entities (CEs) and Business Associates (BAs) designate a specific individual who’s responsible for […]

  5. […] to your security measures. Under the HIPAA Security Rule, the frequency of reviews will vary among Covered Entities (CEs) and Business Associates (BAs). Some CEs may perform these reviews annually or as needed […]

  6. […] a workforce member leaves, it is extremely important Covered Entities (CEs) and Business Associates (BAs) of all sizes prevent unauthorized access to PHI by ensuring […]

  7. […] or payment for healthcare that is created or collected by healthcare organizations, referred to as Covered Entities (CEs) (or a Business Associates (BAs)), and can be linked to a specific individual. This is […]

  8. […] HIPAA Privacy, Security, and Breach Notification Rules apply to both Covered Entities (CEs) and their Business Associates […]

  9. […] Covered Entities (CEs) and their Business Associates (BAs) are expected to provide security controls that ensure the confidentiality, integrity, and availability (CIA) of protected health information (PHI). However, having robust and fairly resilient systems will not eliminate the possibility that a cybersecurity incident could occur in your organization. […]

  10. […] HIPAA Security Rule requires Covered Entities (CEs) and Business Associates (BAs) to “implement a security awareness and training program for […]

  11. […] that involve the use or disclosure of Protected Health Information (PHI) to provide services for a Covered Entity (CE). CE’s are required to identify who their BA’s are and confirm there is a current Business […]

  12. […] and the data is requested by the wearer it is not protected by HIPAA. However, if a healthcare covered entity requests a patient to wear one, collects its data, then the data is protected by […]

  13. […] Covered Entities (CEs) and Business Associates (BAs), who use these devices to create, receive, maintain, or transmit electronic protected health information (ePHI) and must include them in their enterprise-wide risk analysis and take action(s) to reduce risks identified to a reasonable and appropriate level, 45 C.F.R. § 164.308(a)(1)(ii)(A)–(B). […]

  14. […] identifiable health information” held or transmitted by your provider (identified as a Covered Entity and/or their Business Associates), in any form or medium, whether electronic, on paper, or […]

  15. […] HIPAA Privacy, Security, and Breach Notification Rule require Covered Entities and Business Associates (BAs) to obtain a signed Business Associate Agreement (BAA) from each BA, […]

  16. […] Covered Entities (CEs) and Business Associates (BAs) are required to secure the electronic protected health information (ePHI) against internal and external security risks and vulnerabilities. That is why the next standard, HIPAA Security Awareness and Training, § 164.308(a)(5), is so important. […]

  17. […] Covered Entities (CEs) are not alone when it comes to experiencing a healthcare breach. […]

  18. […] dentist office for a new patient consultation and to interview them before selecting them as my Covered Entity (CE). After examining the waiting room and completing the necessary paperwork, I was called into […]

  19. […] Workforce Security section of the Administrative Safeguards, states that Covered Entities (CEs) and Business Associates (BAs) […]

  20. […] standard requires that Covered Entities (CEs) or Business Associates […]

  21. […] fourth standard in the Administrative Safeguards section is Information Access Management. Covered Entities (CEs) and their Business Associates (BAs) are required […]

  22. […] Covered Entities (CEs) believe its impossible to determine whether the data safeguards, security policies and […]

  23. […] Covered Entities (CEs) believe its impossible to determine whether the policies and procedures of their Business Associates (BAs) are adequate to respond effectively to a security incident. […]

  24. […] is important for Covered Entities (CEs) and Business Associates (BAs) to know if their security plans and procedures continue to […]

  25. […] HIPAA Security Rule 45 CFR §164.312(b) requires Covered Entities (CEs) and Business Associates (BAs) to “Implement hardware, software, and/or procedural […]

  26. […] Covered Entities and Business Associates need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure. […]

  27. […] I am presenting a case study of what happens when a Covered Entity (CE) and a pharmaceutical company collude to violate the Federal Anti-Kickback Statute and the […]

  28. […] HIPAA Security Rule provision on Audit Controls (45 C.F.R. § 164.312(b)) requires Covered Entities (CEs) and Business Associates (BAs) to apply hardware, software, and/or procedural mechanisms that […]

  29. […] this week’s “Know The Rules!,” I present different methods Covered Entities (CEs) and Business Associates (BAs) can use to detect and avoid phishing […]

  30. […] Device and Media Controls standard requires Covered Entities (CEs) and their Business Associates (BAs) […]

  31. […] Device and Media Controls standard requires Covered Entities (CEs) and their Business Associates (BAs) […]

  32. […] you see a provider (known as a Covered Entity), check in to a hospital, have a new prescription filled by a pharmacy, or change health insurance […]

  33. […] Covered Entities (CEs) believe it’s impossible to determine whether the policies and procedures of their Business Associates (BAs) are adequate to respond effectively to a security incident. […]

  34. […] in September 2013. Even after two decades, HIPAA compliance still remains a challenge for many Covered Entities (CEs) and their BAs […]

  35. […] HIPAA Security Rule requires Covered Entities (CEs) and Business Associates (BAs) to implement safeguards to record and examine activity on […]

  36. […] you’re new to healthcare, you know Covered Entities (CEs) are required to obtain a Business Associate Agreement (BAA) with each Business Associate (BA) […]

  37. […] egregious disclosures can lead to substantial penalties, Covered Entities need to pay close attention to HIPAA’s privacy rules, especially when responding to press […]