Breaches of the Health Insurance Portability and Accountability Act (HIPAA) occur more frequently than you might think. According to the U.S. Department of Health and Human Services (HHS), there is an estimated 19,000 HIPAA breaches reported annually.
Any unauthorized disclosure of individually identifiable protected health information (PHI) by a covered entity, its business associate or a subcontractor of a business associate constitutes a breach of HIPAA. In an age of digital recordkeeping, and where many businesses or other entities may need legitimate access to PHI, preventing information breaches can be a big challenge.
Regarding the Privacy Rule, many of the provisions affect LTC/Acute Care assisted living providers as well as “covered entities” and/or “business associates.” The definition of “business associate” has been substantially expanded and includes many subcontractors. It is very important that you fully understand the Privacy Rule in HIPAA so you can avoid the legal ramifications of a breach.
Here are eight ways to protect yourself under HIPAA requirements.
- Have contracts with business associates. Ensure that you have contracts with all business associates and that each contract specifically provides you with an assurance that associates will comply with the privacy rules of HIPAA.
- Have contracts with subcontractors. Additionally, business associates should ensure that they have contracts with subcontractors who would fit the definition of a “sub” business associate and that those subcontractors will spell out the “satisfactory assurances” that PHI will be protected as required by the rules.
- Don’t wait. In the event of a HIPAA breach, do not hesitate to notify the proper authorities. You have 30 days to act. The 30-day cure period for violations due to willful neglect (and other violations) begins on the date that an entity first acquires actual or constructive knowledge of the violation and will be determined based on evidence that HHS gathers during its investigation.
- Purchase insurance. Having insurance that would cover HIPAA breaches is often advisable. Be sure that business associate agreements contractually indemnify parties against breaches.
- Review business associate compliance. Simply having an agreement is not enough. Covered entities should be vigilant in knowing that their business associates are compliant with HIPAA and privacy rules. Make sure your compliance agreement is accompanied by actual monitoring of all involved parties.
- Complete a comprehensive overview. Do this with an outside contractor if necessary. Have them run an overview of your cyber-security, risks for breach/cyber-attack and the ability for an outside hacker to obtain PHI and then disseminate it.
- Run a mock audit. Complete a mock audit for your group/facility and update your facilities with the HIPAA compliance manual as a guide. In addition to updating risk analysis, a facility should run a “mock” audit because it is an accurate, effective method to reach optimal security.
- Use encryption. It is vital to utilize encryption on any e-mails where PHI is transmitted. Any HIPAA contracts should spell out indemnity provisions for any fines/penalties that anyone “up the chain” could incur as a consequence of a business associate. This could also include a sub-business associate’s failure to comply with HIPAA as well as their obligation to promptly report any breaches up the chain. Civil money penalties were increased from a cap of $25,000 for the same violation to $1.5million – clearly a sign that the government is demanding strict compliance or else.
By understanding the rules and monitoring compliance, you can better protect yourself. For more information on HIPAA and the Privacy Rule, contact an attorney at Bodie Law.