New HIPAA Regulations Will Affect You!
On January 17, 2014 new HIPAA rules were released that create some concerns and challenges for healthcare providers and their choice of a technology service and support company. Business Associates now have to comply with HIPAA as if they were Covered Entities. Those of you that support health care organizations will have to implement full compliance programs. All ASCII members have new opportunities to sell managed services to Business Associates.
One of the main reasons for these new regulations is that many data breaches have been caused by Business Associates, which until now have been out of reach of the regulatory authorities. In November, 2012, a Business Associate breached 68,000 patient records.
Effective January 17th, 2013, all technical support and service providers to healthcare providers (even if they do not sell EMR systems) must implement a compliance program that includes HIPAA policies, procedures, end-user training, and proof of compliance. Service companies must create HIPAA-compliant workflows to ensure that their employees deal with patient data in a way that does not cause an unintentional data breach. They also need to document their work in great detail to be prepared for audits and data breach investigations if they occur.
Many other types of Business Associates must also comply. These include and others have been specifically identified. ( One type of business that is not considered a Business Associate is an Internet service provider that simply moves data betweenoints, and does not store it – ie: Comcast Internet service)
Encryption is not a HIPAA requirement. However, if a device like a laptop is encrypted and lost, it does not have to be reported. In 2012 a large hospital was fined $ 1.5 million after a doctor’s laptop was stolen. A small hospice paid $ 50,000 for a stolen laptop. A state health department paid $ 1.7 million for a stolen hard drive. If these had been encrypted the losses would not have been reportable. If a portable laptop or even the backup hard drives in your office are not encrypted and are lost or stolen, your practice could be liable for these types of fines as well.
The Bottom Line
Have your Copier Company, Electronic Medical Record (EMR) software provider, Data Centers where offsite backups are stored, Shredding Company, Records Storage Companies, Lawyers (Who represent health care providers) Accountants and Collections Agency provided you with an up-to-date Business Associate agreement spelling out their compliance program?
Are you absolutely positive that your data security and critical business technology is being handled properly and by trained professionals?
If you are an ACTSmart ProWatch or DataGuardian Client, we have already provided you with our Omnibus Business Associate Compliance Agreement. Can’t find it? Give us a call and we’ll send you another copy!
The California Dental Association’s website in an article dated January 27, 2014:
If dentists need to continue using Windows XP past April 8, the minimum requirement for HIPAA compliance is that they address the risks in their risk analysis. Addressing the risks means the dentist knows what can happen and that they have a plan to minimize the risk (they must describe the plan in the risk analysis). That plan also can include a timeline for making the switch away from Windows XP because dentists cannot continue to use that operating system indefinitely.
So when does using Windows XP past April 8 become a HIPAA violation? When a dentist’s written risk analysis does not address the risks associated with using an unsupported operating system. As the risks increase over time, dentists are obligated to keep the risk analysis updated. –