Gerry Hinkley, a partner at the law firm Pillsbury Winthrop Shaw Pittman who also holds leadership roles at the eHealth Initiative and with HIMSS, recently participated in an interview with Information Security Media Group on the challenges associated with Business Associates Agreements under the Omnibus Final Rule.
Hinkley says that despite a quickly approaching final compliance deadline of September 2014, Business Associates are a bit behind in their HIPAA-HITECH efforts. It’s true the requirements and expectations under Omnibus have created massive pressure on BAs, both from federal and state regulators as well as each Covered Entity a BA serves. Many have not adequately responded to the new challenges.
In the article, Hinkley offers guidance for BAs who find themselves playing catch up. We summarized his advice into two major takeaways.
1. Start with a bona fide HIPAA risk analysis.
“Conducting your risk assessment should be job number one,” Hinkley said. We agree.
Risk analysis and risk management will be centerpiece issues during Phase 2 of the HITECH-mandated audits in 2014, as well as any investigations conducted by the Office for Civil Rights. If a BA doesn’t effectively understand and address their major areas of risk, they will very likely end up on the wrong end of an investigation or breach.
2. Make sure your ongoing risk management and overall compliance efforts take a systematic approach.
Hinkley says that HIPAA compliance can’t be, “just a binder on the shelf that you bought 12 years ago. It has to be part of operations. It has to be part of your compliance initiative, and every employee who comes into contact with protected health information needs to know about the program.”
This is why we believe so strongly in the power of HIPAA software solutions to assist in developing a mature, repeatable and sustainable process for compliance. This is how we approach it.
So, as the pressure builds and the clock ticks, are you prepared to respond to the expectations of the Covered Entities you support? Are you doing all you can to manage your risk and avoid a major security breach? If OCR paid you a visit, would they be satisfied that you have practiced good faith efforts to become and remain HIPAA-HITECH compliant? If you are a BA, the time to have solid answers to these questions is right now!
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – What Level of Detail is Adequate? - April 29, 2017
- HIPAA Risk Analysis Tip – How Comprehensive Must Your HIPAA Security Risk Analysis Be? - April 25, 2017
- HIPAA Risk Analysis Tip – Does OCR really use the “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”? - April 23, 2017