A “Business Associate” (BA) is an organization or individual that “creates, transmits, or receives” Protected Health Information (PHI) on behalf of, or in conjunction with, a covered entity (CE). Examples include firms focusing on data storage and analysis, quality assurance, or claims processing for the CE.
Since the latest Omnibus HIPAA Regulations came into effect in 2013, the scope and depth necessary for compliance for BAs has increased drastically. BAs are now held to the same accountability as the CEs. This change is inducing all such associates to closely scrutinize their alignment with HIPAA regulations and make various adjustments accordingly.
The recent updates to compliance start with ensuring that there are formalized agreements with Subcontractors. From there, it is essential to implement safety mechanisms across a variety of domains: administrative, physical and technical. A security risk assessment would accomplish this process by determining what safeguards are needed to what is already established.
Technology measures are far-reaching: starting with basic encryption of emails to identifying PHI throughout the various systems in the organization. Data backup and retrieval systems must be buffered against data leaks; with an established overarching security system monitoring access to PHI through audit logs. Media and devices should be safeguarded through password protection, encryption, and tracking.
Changes need to be implemented beyond just the technical domain. Staff awareness, training, and calls for vigilance are essential in this process. It’s important for staff members to understand the rules for compliance, as well as the penalties for lack of compliance. Instilling principles of vigilance and diligence are important in addition to having a staff that is proactive in ensuring compliance risk is minimized. Staff members should be encouraged to consult, and as needed, append documentation and processes where leaks might exist. Clear roles and authorization protocols must be in place ensuring only key staff are granted access to relevant PHI at any given time.
With the recent changes through the HIPAA Omnibus rule regulations, it is mandatory for BAs to bring their infrastructure up to compliance at near or equal the same level as the CEs. Automated tools can greatly help in ensuring this process occurs in a streamlined and systematic manner, ensuring systems are thoroughly sealed, and are thoroughly vetted for HIPAA Compliance.
hipaa regulations|HIPAA risk assessment software|how to be hipaa compliant|hipaa compliance software|what is hitech act|hipaa omnibus rule 