In addition, a covered entity must have the right to terminate any agreement with a Business Associate should the data breach not be addressed. The covered entity must report any failure to address a security problem to the Department of Health and Human Services Office for Civil Rights.
HIPAA Compliance Audit
HITECH not only requires Business Associates and covered entities to include specific information regarding privacy and security in their contracts, they also require the Department of Health and Human Service to conduct HIPAA compliance audits. These audits review the following areas:
• Formal or informal policies that exist to identify risks and vulnerabilities in data security
• Formal or informal policies related to HIPAA Security Rules
• Formal or informal policies related to audit logs, access reports ad security incident reports
• Whether security measures are sufficient to reduce risks and vulnerabilities
• Assignment of a HIPAA Security Official and that job responsibilities for that position are clearly defined
• Whether the level of authorization of workforce members is well-established
• Formal documentation that identifies levels of access to information systems that house electronic medical information
• Knowledge, skills and abilities of staff to fulfill the roles they are assigned
• Policies and procedures designed to grant access to electronic medical information and the steps for terminating access
• Policies and procedures are consistent with HIPAA Security Rules
• Training process that addresses HIPAA policies
HIPAA Business Associate Compliance
One issue with the regulation requiring HIPAA Business Associate compliance is that many of those who fall under the regulation may not have known they were considered Business Associates. In addition, covered entities had several years to bring their records into compliance, while Business Associates were not given that luxury. Therefore, in order to meet Business Associate compliance, those companies must determine which business relationship include HIPAA compliance organizations and then conduct a HIPAA compliance assessment. Once the assessment identifies regulatory obligations, current compliance, and gaps related to the HIPAA-HITECH regulations, the company can develop a plan to meet the requirements of the statute. One item that is necessary as part of compliance is the creation of an Incident Response Plan in order to mitigate the risks of potential data breaches.
With the new regulations in place, companies who fall under HIPAA Business Associate Compliance must take steps to be sure that their policies and procedures meet legislative requirements as they could be subject to a HIPAA compliance audit. Although this puts a burden on the companies identified as a HIPAA Business Associates, it will provide better protection for patients and for the business itself in the long run.