July 22, 2015
More than half of ODs have implemented electronic health records in their practice, findings from the American Optometric Association’s 2014 New Technology & EHR Survey reveal. Sixty-two percent of responding optometrists have adopted a complete EHR in their primary practice. AOA member optometrists are significantly more likely to use a complete EHR in their practice (66 percent) as compared to non-members (54 percent). Practice setting and employment situation was also shown to have an impact on EHR use, with more non-solo-owners in private practice reporting EHR use (78 percent) than either solo owners (51 percent) or non-owners (62 percent) in private practice.
As you fully implement EHR, it is also the perfect time to review how you protect your patients’ health records and personal information. HIPAA compliance is not optional. The time to become HIPAA compliant is not after the auditor is leaving your office. Now is the time to make sure you are HIPAA compliant before the HIPAA auditor visits your practice in the first place.
Let’s focus today on one of the HIPAA rule changes that occurred recently–the HIPAA Business Associates Agreement (BAA). If you have Business Associates Agreements signed before January 25, 2013, then you need new Business Associates Agreements signed. As of September 23, 2014, all HIPAA Business Associates Agreements must reflect the new changes. If you missed that deadline, then you are out of compliance. Here’s how to get into compliance.
First, understand the new definition of Business Associates
• The definition of a Business Associate has been expanded. Business Associates now includes: subcontractors who create, receive, maintain or transmit protected health information on behalf of a Business Associate; health information organizations, e-prescribing gateways, and certain other personswho provide data transmission services for covered entities; and persons who offer personal health records on behalf of a covered entity.
Second, understand the new changes to HIPAA Business Associates
• Business Associates are directly regulated and responsible for complying with HIPAA.
• Business Associate must comply, and require its subcontractors to comply, with applicable requirements of the HIPAA Security Rule.
• Business Associate must ensure that its subcontractors agree to the same restrictions and conditions that apply to the Business Associate with respect to PHI.
• Business Associate must report breaches of unsecured PHI to the covered entity.
• Business Associate must take steps to cure or end the violation (or terminate the relationship) if it knows of a pattern of activity or practice of its subcontractor that constitutes a material breach of the subcontractor’s obligations.
Third, take the following actions
1) Identify all Business Associates
• Here’s an easy way to identify your Business Associates: look at your accounts payable.Accounts payable contains a list of your vendors. From this list identify vendors with access to your PHI. Possible vendors with access to your PHI are:
i. IT companies
ii. Transcription companies
iii. Coding and billing companies
iv.Consultants
v.Collection agencies
vi. Shredding companies
Note:
• Under the new rules, a Business Associate now includes any vendor that creates, receives, maintains or transmits PHI on your behalf — even those that do not access PHI. That new definition expands the list to include:
i. Organizations involved in patient safety activities
ii. Health information organizations
iii. PHI data storage companies
2) Review existing Business Associate Agreements
• Update any BAA that does not reflect the new rule changes, and make sure all Business Associates execute an updated Business Associate Agreement.
3) Audit Business Associates
• You have the responsibility to confirm your Business Associates are handling their duties in conformity with HIPAA rules. To audit your Business Associates, the authors of “Updating HIPAA Business Associate Agreements: 3 Steps” suggest you ask these six questions of the Business Associates:
o Do you have updated policies, procedures and manuals that your organization follows to show compliance with HIPAA?
o Have you trained all of your employees on the privacy and security procedures covered by HIPAA and documented the training?
o Do you have a mechanism in place to train new employees and document the training?
o Have you recently (certainly within the last year) completed a security risk assessment and documented this assessment?
o Do you have mechanisms in place to ensure you remain compliant with HIPAA?
o Do you have mechanisms in place to ensure any subcontractors that will have access to PHI agree to the same restrictions, conditions and requirements that apply to the business associate with respect to such information?
The key point to know is: you can be found liable if a business associate is found to be negligent in the handling of PHI, therefore, it is important to document your due diligence in auditing your Business Associates.
Don’t put this off. Do this today.
References
Health Privacy, U.S. Department of Health & Human Services
HIPAA Update, Aronberg Goldgehn
Updating HIPAA Business Associate Agreements: 3 Steps, Physicians Practice
