http://luxsci.com/blog/more-and-more-companies-need-hipaa-compliance-due-to-changing-regulations.html News, solutions and insider insight from LuxSci: provider of Secure Email and Web Security Thu, 08 Mar 2012 02:57:09 +0000 hourly 1 http://wordpress.org/?v=293 http://luxsci.com/blog/more-and-more-companies-need-hipaa-compliance-due-to-changing-regulations.html/comment-page-1#comment-889 Jack Anderson Mon, 02 Aug 2010 16:21:36 +0000 http://luxsci.com/blog/?p=3292#comment-889 Business associates need to be aware that HHS expects them to be compliant with the terms of any business associate agreements they have signed, now! Here is the pertinent section from the NPRM: 9. Business Associates and Covered Entities and Their Contractual Relationships. The proposed rule would extend liability for failure to comply with the Privacy and Security Rules directly to business associates and business associate subcontractors in a manner similar to how they now apply to covered entities. The proposed rule would subject business associates to many of the same standards and implementation specifications, and to the same penalties, that apply to covered entities under the Security Rule and to some of the same standards and implementation specifications, and to the same penalties, that apply to covered entities under the Privacy Rule. Additionally, business associates would also be required to obtain satisfactory assurances in the form of a business associate agreement from subcontractors of any protected health information in their possession. If the business associate learns of a pattern of activity or practice of a subcontractor that constitutes a material breach or violation of the contract, the business associate would be required to make reasonable attempts to repair the breach or correct the violation. If unsuccessful, the business associate would be required to terminate the contract, if feasible. In addition, a business associate would be required to furnish any information the Secretary requires to investigate whether the business associate is in compliance with the regulations. In the absence of reliable data to the contrary, we assume that business associates’ compliance with their contracts range from the minimal compliance to avoid contract termination to being fully compliant. The burden of the proposed rules on business associates depends on the terms of the contract between the covered entity and business associate, and the degree to which a business associate established privacy policies and adopted security measures that comport with the HIPAA Rules. For business associates that have already taken HIPAA-compliant measures to protect the privacy and security of the protected health information in their possession, the proposed rules with their increased penalties would impose limited burden. We assume that business associates in compliance with their contracts would have already designated personnel to be responsible for formulating the organization’s privacy and security policies, performed a risk analysis, and invested in hardware and software to prevent and monitor for internal and external breaches of protected health information. We expect that most business associates make a good-faith effort to follow the terms of their contracts and comply with current security and privacy standards. For those business associates that have not already adopted HIPAA-compliant privacy and security standards for protected health information, the risk of criminal and/or civil monetary penalties may spur them to increase their efforts to comply with the privacy and security standards. Up to this point, the consequences of failing to meet the privacy and security standards were limited to a business loss in the form of a terminated contract. In the context of the business associate’s overall business, the risk of losing the contract may not be a sufficient incentive to warrant investing in added security or establishing privacy policies potentially at significant expense. There may be other more benign reasons such as ignorance of potential threats or lack of knowledgeable personnel on staff. Regardless of the reason, to avoid the risk of the far more serious penalties in this proposed rule, we expect that business associates and subcontractors that have been lax in their complying with the privacy and security standards may now take steps to enhance their security procedures and strengthen their policies for protecting the privacy of the protected health information under their control. Business associates need to be aware that HHS expects them to be compliant with the terms of any business associate agreements they have signed, now! Here is the pertinent section from the NPRM:
9. Business Associates and Covered Entities and Their Contractual Relationships.
The proposed rule would extend liability for failure to comply with the Privacy and Security Rules directly to business associates and business associate subcontractors in a manner similar to how they now apply to covered entities. The proposed rule would subject business associates to many of the same standards and implementation specifications, and to the same penalties, that apply to covered entities under the Security Rule and to some of the same standards and implementation specifications, and to the same penalties, that apply to covered entities under the Privacy Rule. Additionally, business associates would also be required to obtain satisfactory assurances in the form of a business associate agreement from subcontractors of any protected health information in their possession. If the business associate learns of a pattern of activity or practice of a subcontractor that constitutes a material breach or violation of the contract, the business associate would be required to make reasonable attempts to repair the breach or correct the violation. If unsuccessful, the business associate would be required to terminate the contract, if feasible. In addition, a business associate would be required to furnish any information the Secretary requires to investigate whether the business associate is in compliance with the regulations.
In the absence of reliable data to the contrary, we assume that business associates’ compliance with their contracts range from the minimal compliance to avoid contract termination to being fully compliant. The burden of the proposed rules on business associates depends on the terms of the contract between the covered entity and business associate, and the degree to which a business associate established privacy policies and adopted security measures that comport with the HIPAA Rules. For business associates that have already taken HIPAA-compliant measures to protect the privacy and security of the protected health information in their possession, the proposed rules with their increased penalties would impose limited burden.
We assume that business associates in compliance with their contracts would have already designated personnel to be responsible for formulating the organization’s privacy and security policies, performed a risk analysis, and invested in hardware and software to prevent and monitor for internal and external breaches of protected health information.
We expect that most business associates make a good-faith effort to follow the terms of their contracts and comply with current security and privacy standards.
For those business associates that have not already adopted HIPAA-compliant privacy and security standards for protected health information, the risk of criminal and/or civil monetary penalties may spur them to increase their efforts to comply with the privacy and security standards. Up to this point, the consequences of failing to meet the privacy and security standards were limited to a business loss in the form of a terminated contract. In the context of the business associate’s overall business, the risk of losing the contract may not be a sufficient incentive to warrant investing in added security or establishing privacy policies potentially at significant expense. There may be other more benign reasons such as ignorance of potential threats or lack of knowledgeable personnel on staff. Regardless of the reason, to avoid the risk of the far more serious penalties in this proposed rule, we expect that business associates and subcontractors that have been lax in their complying with the privacy and security standards may now take steps to enhance their security procedures and strengthen their policies for protecting the privacy of the protected health information under their control.

]]>