Everyone connected with the healthcare system is aware of the increasing number of audits by the Office for Civil Rights (OCR) to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA). The 2016 Phase 2 rollout is focusing on risk assessments and the agreements with managed service providers (MSPs). Because healthcare service providers handle so much sensitive, confidential information, they are particularly vulnerable to file management deficiencies and security breaches with far reaching consequences.
If your healthcare service depends on an MSP to manage all your patient information, you want to make sure you have an:
- Up-to-date, completed Business Associate Agreement (BAA) that covers all areas of compliance
- Current risk assessment
The OCR has demonstrated its willingness to fine organizations for non-compliance and to publish such results. Information privacy issues are becoming increasingly important as technology becomes more complex.
Is your BAA ready for an OCR review?
The HIPAA requires you, as a healthcare provider, to use a contract with any third party who has access to your information. Such an agreement does much more than outline technology requirements. It clarifies and limits use of and access to confidential, personal patient information.
It is important to note it is not just actual medical records that need protection. There is often sensitive information such as diagnoses, test results and treatment plans in emails, voice mails, and shared files. The primary principle for a BAA is allowing access only to need to know information.
To ensure compliance with the HIPAA Privacy Rule, your BAA with an MSP should include clear expectations about:
- MSP use and disclosure of protected health information
- Safeguards to protect PHI from unauthorized use
- Protocol to report any unauthorized disclosure or use
- Availability of MSP practices and records
- Contract termination procedures
The Department of Health & Human Services (DHHS) provides samples of BAAs on its website so even the smallest of healthcare service providers can more easily comply with the Privacy Rule.
Has your healthcare operation conducted a risk assessment?
The HIPAA Security Rule requires you to show a thorough risk assessment to help identify areas where protected information is at risk of disclosure. The DHHS recognizes this could be a considerable challenge for many healthcare providers. You can find a 156 question Security Risk Assessment Tool on their website that will help you better understand the potential impact of noncompliance and what is really being required.
Most healthcare organizations look to their MSP as a trusted partner in helping them work through a risk assessment, identify areas for improvement and ensure compliance. You will quickly recognize that an MSP can assist with much more than the IT applications. These specialists can help develop the necessary policies and training.
Need help with your HIPAA audit?
If you need assistance preparing for the HIPAA audit, connect with our Digitial6 Technologies team. We can help you understand your responsibilities for compliance and then we can recommend the right cloud services to accommodate your operations. The latest cloud technology including the encryption functions of ShareSync will keep your patient information complete and secure.
At Digital 6 Technologies we provide full service support so you can be fully confident of compliance with HIPAA Privacy and Security Rules. Contact us now.