In an effort to make the HIPAA Privacy Rule as easy to understand as possible, the Office for Civil Rights (OCR) has come up with a list of rules that clearly explain what Business Associates are now “directly liable” for. As OCR Director Roger Severino explains, “We want to make it as easy as possible for regulated entities to understand, and comply with, their obligations under the law.” The list consists of ten rules that, if failed to follow, can result in penalties and monetary fines.
[ Note: Check out our previous post to access this list ].
As we enter the fourth quarter of the year, you may be wondering what immediate requirements should a Business Associate complete before the end of the year?
One of the most important rules also includes information about Business Associates, and their need for proof of satisfactory assurance when the covered entity requests this of them. Satisfactory assurance is crucial, because it ensures the Business Associate is HIPAA compliant, and therefore, must also be in the form of a contract.
The Satisfactory Assurance contract is oftentimes outlined in the form of a questionnaire, and requires the Business Associate to disclose the date of completion for various compliance requirements.
These include distribution and completion of workforce HIPAA training, implementation and distribution of policies and procedures, Business Associate documentation, and completion of an annual HIPAA Security Risk Assessment.
Are You Prepared?:
If a Covered Entity requests this proof from your organization, would you be able to successfully complete it without outdated completion?
If you are uncertain that your organization would be able to easily and efficiently provide that documentation, you may be facing thousands of dollars in fines for each vulnerability!
HIPAA Compliance Myths:
False: The security risk analysis is optional for small providers: All providers who are “Covered Entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive MU, and MIPS incentive payments must conduct a risk analysis.
False: Our office uses the Cloud, so we don’t need a risk assessment: Even if you have a fully HIPAA compliant cloud vendor, your patient data (ePHI and PII) still must go through all your systems to get to the cloud. So, you are still required to perform technical, administrative, and physical security risk analyses.
False: Our EHR makes us compliant, so we’re fine: While your EHR may provide excellent privacy and security features, it definitely doesn’t exempt you from the HIPAA security requirements.
Live Compliance helps their clients meet the ever changing and complex HIPAA State and Federal regulations. They protect the information they are entrusted with, and ensure their clients pass any Health and Human Services audits. If you are unsure or need assistance, call Jim Johnson with Live Compliance at (980) 999-1585.
Live Compliance is a partner of EZClaim, a medical billing software company. For more details about their solutions, visit their website at ezclaim.com.