Although HIPAA’s Final Omnibus Rule went into effect in March of 2013, healthcare professionals were given until September 22nd of that year to comply with the new rules and standards.

The only exception to this enforcement date consisted of updating business associate agreements (BAAs). According to the new HIPAA regulations, covered entities (CEs) and business associates (BAs) were legally required to update or establish the appropriate BAAs.
These contracts were to be amended no later than September 22, 2014 or when their existing agreements (if established prior to January 25, 2013) expired, whichever event transpired first. For those who haven’t updated their existing contractual agreements, the time to comply with HIPAA is now – you should act quickly to avoid an audit by the Department of Health and Human Services (HHS) and minimize risk.

What Does It Mean to be a Business Associate?

Even if you don’t believe that you fall under the category of “business associate,” it’s possible that you are incorrect. The Final Omnibus rule now states that a business associate is defined, per HIPAA, as “any party that creates, maintains/stores, or transmits protected health information (PHI) on behalf of a covered entity.” Perhaps a covered entity employs your business to take care of their medical document scanning, for data storage, or to handle their release of information processes. Each of these services, and a number of others, qualify you as a BA. According to the Final Rule, a BAA must establish the CE’s expectations from the partnership and clearly state that the BA is responsible for complying with HIPAA standards — including the report of a possible breach of security to the CE and to HHS. Any suspected HIPAA violations committed by a BA will be investigated directly by HHS, and severe fines and penalties may be imposed.

Minimizing Risk

Although it’s unfortunate, mistakes can be made and PHI may be compromised. For your protection, HIPAA requires that all CEs and BAs take reasonable measures to minimize risk. Since it’s even possible that a member of your janitorial staff could accidentally obtain and view confidential information, it’s up to you to train staff on the importance of respecting privacy and have each employee sign an agreement stating that he or she will not access restricted data. To further secure PHI, hard drives and tape media should be stored in lockers or storerooms. When retiring any of these media storage assets, data should be sanitized or destroyed with NSA approved equipment such as certain types of degaussers or shredders and should be done by a certified ITAD vendor. NIST guidelines and frameworks such as the Risk Management Framework for information system security should be followed to manage risk. Additionally, rules and procedures should be put in place which monitor the receipt and removal of hardware and electronic media to and from the facility, and the movement of these items within the facility.

Keep in mind that compromised data is only considered to be a full-blown security breach after evaluating the type of data that was compromised, the person(s) to whom the disclosure was made, whether or not the PHI was actually viewed/acquired, and the extent to which the risk was mitigated. As an example, if a data storage company was hacked but all PHI was carefully encrypted and unable to actually be viewed, the event may not be considered to be a breach, saving you from penalties. Because of this, data security should always be a top priority.

Under the new requirements, business associates must also ensure that their subcontractors sign a written agreement stating that they will adhere to the same restrictions and conditions regarding PHI that governs BAs and CEs. It’s no longer sufficient to only include language indicating that a subcontractor will agree. Whether you are a business associate or a covered entity, it may be a good idea to audit and check your entire chain-of-custody (not just your subcontractors, but their subcontractors also, etc.). This is a policy of Lifespan’s, and though it is not required by HIPAA rules, it is one of many things we do to ensure that our clients remain compliant, and that their data remains secure.

For more information about business associate agreements, chain-of-custody, and the measures we take to keep your data secure through the entire ITAD process, contact us or call (888) 720-0900 to speak to an ITAD expert.