One of the biggest challenges for many of us is doing the required risk analysis that is in the HIPAA Security Rule. The industry has struggled with how to conduct this, what to cover, and how to document it. This past week the Office of Civil Rights has issues a draft guidance document about the risk analysis required by the security rule.

The document is titled “HIPAA Security Standards: Guidance on Risk Analysis” and should be reviewed if you still have not conducted your risk analysis.

The OCR is tasked with issuing annual guidance related to the security rule. Following these guidelines as they are issued will help you stay on top of what you should be doing to be compliant.

Have you conducted your risk analysis? If not, now is the time!

HIPAA compliance requirements have been greatly changed with the American Recovery and Reinvestment Act (ARRA) and its Title XIII called the HITECH (Health Information Technology for Economic and Clinical Health) Act. With the introduction of this new law, business associates are now accountable for the privacy and security requirements that previously were required only by covered entities. In addition, a business associate is now subject to civil and criminal penalties. This also includes a provision that lets patients receive financial compensation for a violation of their privacy.

This new federal law has added strength to the enforcement portion of the law. The significant changes include:

• Employees and other workforce members, including independent contractors, are now subject to civil penalties. This means that individuals are also now accountable legally.
• There is a requirement for HHS to formally investigate any complaints and to impose civil penalties for violations of the rules if the violation is due to "willful" neglect.
• The law requires that any civil monetary penalties or monetary settlements as a result of a violation of the rules be sent to the Office of Civil Rights (OCR) for enforcement of the privacy and security rules.
• Civil monetary penalties now have a tiered system ranging from $100 to $50,000 depending on the offense.
• The Secretary of HHS is required to conduct periodic audits to be sure that covered entities and business associates are compliant with the new rules.
• The State Attorneys General now have the authority to bring suit in district courts for any violation on behalf of the residents of their state.

What Steps Should a Business Associate Take to be sure you are Compliant?

The first step is being sure you are properly classified. For example, if you are an independent contractor working for a service and not directly contracting with a covered entity, that probably means you are not a business associate, but an agent or subcontractor of a business associate. It is important, however, for independent contractors to understand if your contract is directly with the covered entity, that makes you a business associate and all of the new laws do apply to you.

Some things you need to consider include:

• Assigning responsibility for compliance to one person. While you can have a team working on compliance issues, one person must be named as the compliance officer and be responsible. This does not have to be an employee and you can use a consultant if that works best for you, however, it is critical that you have this person identified.
• Encryption of all electronic files. The HITECH Act has made the use of encryption the one thing that provides a "safe harbour" for not having a breach. Data that is not encrypted is considered unsecured according to the law. While you may already be using encryption for data transfers, this law also requires that information be encrypted while "at rest." This may require that you add encryption to all electronic files that are stored anywhere on your system. If you are in medical transcription, remember that this will also include the voice files stored on any dictation system. The Secretary of HHS will review these standards annually for any changes.
• Breach notifications. While HIPAA has always required that a business associate notify their client of any breaches of  information, the law now makes you responsible for being sure the notification is done. A breach is defined as acquisition, access, use or disclosure of unsecured PHI that is not permitted under HIPAA and that compromises the privacy or security of the information. Remember that unsecured data means unencrypted. Documentation of breech notifications must be kept for six years.
• Be sure you are compliant with both the privacy and security rules. There are many points to consider in these rules. You must have written policies and procedures. You must have a written risk analysis done. You also must have a contingency plan in place for any kind of business disruption. Your systems also have to provide audit trails for who accesses protected health information.
• Realize you are responsible for the actions of your workforce. The rules require training of the workforce, which must be done and documented. If you have remote workers, this can be more of a challenge, but it is possible.
• Another significant change is that business associates are now responsible for trying to stop any violations by the covered entity (their client). This includes things even up to canceling your contract with a client who refuses to fix a violation or prefers to ignore the law. Both parties are responsible for doing this for the other, and this could very well change some of the relationships you currently have with your clients.
• Documentation. Remember, it's all about being sure you have things documented. Use the rule of thumb that says "if it's not documented, it wasn't done." It is no longer acceptable to just say you are compliant. You must have written documentation to show that you have done all of the required steps.

The changes that have come as a result of the HITECH Act certainly have a big impact on business associates. The date for compliance is past. If you haven't taken the required steps, now is the time to do it.

The US Department of Health and Human Services (HHS) released it's semi-annual regulatory agenda this week. Included in this are the updates to the HIPAA privacy, security and enforcement rules and regulations.

The healthcare industry has been waiting for specific information from HHS on how the changes brought about by the HITECH Act will impact the HIPAA rules, and next month should make this more clear.

While the notice did not specify which rules would be impacted, the Office of Civil Rights (OCR), which enforces the privacy and security rules, addressed this earlier this month with the following list:
* Business associate (BA) liability
* New limitations on the sale of personal health information, marketing, and fundraising communications
* Stronger individual rights to access electronic medical records and restricting the disclosure of certain information

Although the HITECH act was effective February 17, neither agency had released any dates as to when we can expect updated rules and regulations until this week. At least now we know they are coming next month.

The Office of Civil Rights has begun to publish the list of organizations who have had breaches of patient information that impact more than 500 people. In browsing this list, it's important to note that it is not just the covered entity who is listed, but also the business associate, if one was involved.

In the list of breaches, OCR lists the company, the business associate if applicable, how many people were impacted, what kind of breach (theft, unauthorized access, other), and what kind of device. It's interesting to peruse this list and see that laptops are frequently being stolen and sometimes even a network server.

The first step in being sure you're not on this anytime is to know where you fit in the definitions that are in the rules. Knowing what category you are in helps determine what your responsibilities are related to HIPAA and the HITECH Act.

What are you doing to be sure that the information you work with is protected? Are all of those files sitting on your devices encrypted so that if it is stolen, the information isn't breached? Do your policies and procedures outline how to handle a breach, and are these in written documentation?

If you are a covered entity, have you updated your business associate contracts with the new requirements for business associates? If you are a business associate, you probably have a lot more to do than those who are covered entities simply because some of this is new for you.

Do what you can today to be ready should a breach happen in your organization. This is not a list you want to show up on!

I've been heavy into the revision for the Stedman's Guide to the HIPAA Privacy Rule the last few weeks. It's an exciting project and one that will now include the security rule and speak to more than just medical transcription, covering healthcare documentation in general. The HITECH Act recently enacted made some very significant changes to the HIPAA rules, and doing this writing has given me cause to wonder just how many business associates are really watching that. It's like negotiating a maze and trying to figure out how to get to the end.

The rules now require a business associate to follow them as if they were a covered entity. That means a lot more work, and it means written policies and procedures that show how you do all of the things required for compliance. It also means updated business associate contracts. Many of the people I've talked to are "waiting on the customer" to get these things done, however, that will not make you compliant and it sure won't pass an audit should your company be one that the government selects for their random audits. Someone asked me the other day if I found this exciting or scary. My response was when I think about so many smaller businesses who probably are not doing these things, it's scary. I know what a big job it is to run a business and just one big fine because you're not doing things right could have a huge impact on your business operations.

Today we have added a page here that shows some of the services we can provide. I hope you will stop and take a minute to look through that. If we can help, we're here.

What are you doing to be sure you have these things in place? Are all of your policies and procedures documented? What's your biggest struggle related to the new changes?