Welcome to Pedagogy   |   Sign In

Feds speak out on processes for Business Associate Agreements under HIPAA

In a memo released last month, the U.S. Office for Civil Rights (OCR) raised this question: Is Your Business Associate Prepared for a Security Incident?

Well, how would you answer?

The issue is critical, as OCR audits are in progress under the federal Health Insurance Portability and Accountability Act (HIPAA). The audits extend to business associates, and according to OCR, business associates will need to demonstrate security risk analysis, risk management, and breach reporting procedures.

In its memo, OCR refers to a widespread perception that it is difficult for healthcare providers to know whether their business associates are adequately protecting patient information.

As such, OCR says covered entities should plan in advance for how they will confront a breach by business associates, including subcontractors. OCR’s memo recommends the following:

1. Business associate agreements should define how and for what purposes patient information may be used or disclosed. Be clear about what constitutes unauthorized disclosures and incidents that need to be reported back to the HIPAA-covered healthcare provider.

HIPAA defines “security incidents” as attempted or successful unauthorized access, use, disclosure, modification, or destruction of information, or interference with system operations in an information system. This could include:
  • Attempts (either failed or successful) to gain unauthorized access to electronic Patient Health Information (ePHI), or a system that contains ePHI;
  • Unwanted disruption to systems that contain ePHI;
  • Changes to system hardware or software characteristics without the owner's knowledge or consent.
2. Business associate agreements should specify the time frame for business associates or subcontractors to report a breach, security incident, or cyber-attack. Keep in mind: Reporting should be prompt, and covered entities are liable for untimely HIPAA breach reporting to affected individuals, OCR and, in some cases, the media.

The federal government’s website says that HIPAA-covered providers should file a breach notification by filling out and electronically submitting a breach report form to the U.S. Department of Health and Human Services.

If a breach affects 500 or more individuals, covered entities must file a report promptly, and in no case later than 60 days following a breach. If a breach affects fewer than 500 individuals, the covered entity must submit notification no later than 60 days after the end of the calendar year in which breach is discovered. The government’s website also describes circumstances that require reporting to the media.

3. Business associate agreements should identify the type of information a business associate or subcontractor will need to provide in a breach or security incident report. Such reports should include the business associate’s name and point of contact information, and descriptions of:
  • What happened, including the date of the incident and the date of the discovery of the incident, if known.
  • The types of protected health information potentially compromised due to the incident.
  • How the business associate is investigating the incident, and what measures are being taken to protect against further incidents.
4. Finally, covered entities and business associates should train workforce members on incident reporting. OCR says covered entities may want to conduct security. 

This blog origionally appeared on www.MyHIPAAGuide.com

Pedagogy Guest Blog by author Diane Evans

Diane Evans is Publisher of MyHIPAAGuide.com, a news and information service that helps HIPAA-covered organizations understand their responsibilities.

MyHIPAAGuide.com offers resources for self-conducted Security Risk Assessment, templates for security policies and "Meaningful Consent" Patient Privacy Notices, and much more in an online catalog of 40+ carefully-picked federally produced resources.

MyHIPAAGuide.com also offers news updates and discussion boards, where subscribers may submit questions.

Diane's course, Must-Knows to Keep Patient Information of Social Media, is accredited as continuing education for nurses and Florida nursing home administrators, it can benefit all who are in the position of performing HIPAA audits and maintaining HIPAA compliance:
  • Directors of Nursing
  • Human Resources
  • Assisted Living, Residential and Long Term Care Administrators
  • Healthcare Office Managers
  • Medical Records Managers
  • Healthcare Department Manager
  • Insurance personnel
  • Any person in charge of or maintaining patient information or records

Click Here to read the full course description.
Posted: 8/2/2016 4:30:34 PM
Blog post currently doesn't have any comments.
Leave comment

 Security code
Copyright © 2020 Pedagogy, Inc. All Rights Reserved.

Powered by Kentico