Tag: Business Associate Agreements

Posted on

A Cloud Based EMR Does Not A Compliant Entity Make

Snake-oilRecently, a question came up that involved entities that said they are perfectly fine with HIPAA compliance because they use a cloud based EMR (or EHR) who takes care of all their HIPAA compliance for them.

A discussion ensued ending with the question:     This can’t really be true, can it?

I suppose someone could dream up some condition and try to argue it is true.  I, however, tend to follow the statistics.  The chances any group is able to have all the HIPAA compliance requirements handled by their cloud based software provider is so very tiny I will say it can not actually be true.  Yes, some vendors may tell you just that but the term snake oil salesman comes to mind……

Here is your check list of things your vendor must provide to take care of all your compliance for you.  If you actually do have a vendor with all this covered and documented, please let me know.  I am eager to get to know them and work with them.

Does your vendor….

  • Provide a complete and thorough Risk Analysis looking at everything you store in your office that could include PHI.
  • Know every record that comes in and out of your office and how it is managed?
  • Configure your network security and firewall?
  • Monitor you computer systems to confirm they have all their security updates and an active antivirus/malware system?
  • Provide documentation and reports that compliance activity is taking place and reviewing the results?
  • Confirm data you exchange with every single business associate you work with is secured and protected properly?
  • Confirm your Business Associate Agreements are properly in place with every entity that you have a BA relationship?
  • Perform due diligence with all your Business Associates?
  • Update your Notice of Privacy Practices (NPP) to make sure all cases your office should cover is included properly?
  • Confirm you post your updated NPP properly to meet the new requirements?
  • Create a complete disaster recovery and business continuity plan that covers all aspects of your operation being functional?
  • Complete a physical site security checklist and determine all your physical safeguards are adequate and properly documented?
  • Review your administrative safeguards to confirm they are adequate and meet the required and addressable elements properly with documentation of same?
  • Create and monitor a plan for disposal of all media and equipment that may contain PHI – like printers and copiers?
  • Create and document a breach response plan?
  • Create, monitor and execute a training plan for every member of your staff regarding HIPAA terms, requirements, acceptable uses and disclosures, how to identify a breach, what your own internal policies and procedures require for HIPAA and more?

Should I go on, because there is more?  For now, I will just leave it at that.

Don’t get me wrong.  There are a lot of HIPAA things, in the Security Rule especially, that you can outsource to your cloud software provider.  But, even those things don’t relieve you of responsibility.  It is up to you to make sure you document completely and audit regularly to make sure those functions like backup and recovery of the data they maintain, up-time guarantees,encryption at rest and in transit, password and user access controls, etc are actually working as required.

The wall of shame is full of CEs and BAs that thought someone else was taking care of their compliance.  You can’t just say someone else is doing it for me.  If you do, you probably need more training before making your final HIPAA decisions and, of course, detailed documentation of those decisions.   It really takes time and effort on every entity’s part to create their culture of compliance that is really required to make an honest stab at HIPAA compliance in your office.

All this is really a question any CE or BA should be asking themselves no matter who their vendor may be.  Do we have all these things covered?  If you don’t then you definitely need to consider getting some help.  There is a lot to do and you can’t just “mail in” your compliance requirements.

 

Re-posted with permission. Original post located here.
Posted on

Do Your BA Due Diligence

Long gone are the days that you pull down a template Business Associate Agreement and everyone just signs it.  BAs may not understand the extent of their obligations under HIPAA.  You need to confirm your agreements plus check what they are really doing to comply.

I really don’t recommend blindly using a template agreement to anyone.  Make sure you know what the agreement is committing for both parties.  There are optional things in those templates that can cause problems for some businesses.  Many folks just rolled them all in there and never looked at the implications closely.

Once you have the agreement worked out, get at least a general understanding of what each BA is doing for their own compliance including BAs they use to provide services.  We use a due diligence checklist to help with the process.  Here are a few things we have learned while doing them.

IT Support Companies.  If you are trying to manage HIPAA Security requirements without some sort of IT company involved (or your own IT staff), you probably aren’t doing everything that is required.  Someone has to understand firewall logs, encryption key management, network scanning, etc.  BUT, make sure the one you do use is HIPAA compliant.  If they have admin access to all your servers they have access to everything; and they can’t do their job well without that level access.

We find that most IT companies have the security part of the rules covered, maybe not documented fully but mostly in place.  The real problem comes when you ask about anything outside the Security Rule.  They should have a training program, understand minimum uses and disclosure requirements, breach notification policies and procedures and a few more things that have nothing to do with the Security Rule.  Make sure they understand there is more to HIPAA than the Security Rule.

Collections Services.  Collections services vary widely in the data they gather.  Many of these services may not specialize in medical but make it a segment of their business.  Be very thorough with any service that doesn’t offer specific secure connections or instructions for data exchange.  When checking these guys you have to ask about Security first.  You may never even get to the things outside of security requirements before you know you have a problem.  Make sure to determine how much medical work they are doing first then ask about the rest of compliance, especially how they worry about encryption at all stages of the process.

Accounting/CPAs.  Sometimes these are also collection or billing services which may make things easier.  Think through what you do with them otherwise and make sure you understand exactly what they are doing with your patient information they may be privy to for their services.   In cases where they are simply doing accounting they may only see patient data when dealing with large balance accounts or writing refund checks.  It is still PHI.  Make sure they have a plan to protect PHI.  Also, make sure they train employees on HIPAA even if they think they are discreet enough because they have to be for everyone.

Billing Services.  These guys deal in high volumes of data moving through their offices all the time.  They usually have a decent understanding of the uses and disclosure rules but may be lax in security within their office.  Also, they have a lot of downline BAs and subcontractors in most cases just in processing services.  Make sure they have security plans in place and understand clearly what their BA and subcontractors obligations include.

Transcription.  A wide array of situations are occurring when we ask about transcription.  You need to be sure you know if they are signing your BAA but using subcontractors that may not be signing one with them.  This area can get very messy just working out who is storing data and who is accessing data.  Review every part of their set up to be sure they are covering their bases.  Make sure you check a lot of details with this BA both for a service as well as individual contractors.

Many of the compliance management tools include BA management features.  It is a very valuable tool to help you keep up with all this information and documentation.  It is hard enough to keep up with our own stuff but you have to get some info about all their stuff too.   It is important, though.

By checking on your BAs to make sure they truly understand their obligations, you better protect your patients and your business from compliance problems that aren’t under your roof.  If you have a BA that you know is a BA but they don’t want to become compliant, you have very specific steps you need to follow in order to protect your compliance status.

  • Take reasonable steps to cure the problem with the BA and get compliance in line
  • If a BA still does not comply, you must terminate the business contract on HIPAA compliance grounds.
  • If there is no other entity you can get the service provided by the non-compliant BA, you must report them to HHS.

One more thing…….  BA management isn’t just for CEs anymore.  All you BAs need to follow the same process for your BAs.

Original article authored by Donna Grindle, used here by permission.