- As healthcare organizations make their final preparations for HIPAA Omnibus Rule compliance before Sept. 23, they have a number of different tasks, such as business associate (BA) paperwork revisions, to consider. Dykema Gossett, PLLC partner Kathy Kudner explained to HealthITSecurity.com in Part 2 of an interview how her firm has created a HIPAA preparation checklist and the type of work Dykema does when working with an organization on adhering to HIPAA guidelines.
Can you offer a use case where you help with HIPAA compliance?
We’ve developed a HIPAA preparation checklist that includes the privacy and security policies, model [starting point] Notice of Privacy Practices and model Business Associate Agreement (BAA). Then we’ll ask them for a copy of their policies and we’ll provide them with a security risk analysis that they can do internally with their IT department or a third-party IT company can do for them. We can review the documents they have and suggest revisions or additions needed to comply with the new rules. And we can also tell them what they need to do from a security standpoint, but they need to do an assessment on their own.
We’re seeing BAAs with all types of terms in them that aren’t required by HIPAA because I think there’s a general widespread concern about liability. You’re seeing many more indemnification provisions and who’s going to pay the cost of what. None of that language is required by HIPAA, but organizations are just trying to protect themselves.
Under HIPAA, a BA is really a defying term and it’s an exception to the prohibition on user disclosures. A lot of organizations say they’re going to make another organization their BA so they can disclose the PHI to them and that just doesn’t work. Either you’re a BA or you’re not. That’s not a way to disclose information. Many are trying to make existing relationship HIPAA compliant, while maybe the answer is to change the relationship.
How much work is involved with updating BAAs?
Depends how much information people put in there that they don’t need. A standard BAA isn’t hard to look at or sign; most of them are word for word the same. For example, a client recently included exclusion information about whether they were excluded or debarred from federal contracting. And we had to go back and say we’re not going to sign this. First of all, the hospital would have to go back and make sure they have that type of representation. First-time contracts have to be in place by Sept. 23 but old ones are grandfathered. That’s a big date for organizations.
What happens next with OCR?
I think [customers] will have the privacy documents and policies in place, but I’m not sure they’ll have the security in place. Because if they don’t have them currently, that will involve some cost to put them in place. Some of that can be very difficult. For example, if you’re a home health agency and all of your nurses have a mobile device, it’s really hard to protect against theft and loss. I don’t know how many breaches we’ve had that have involved a stolen laptop. If you look at OCR enforcement, a lot of it is lost or stolen laptops. The more we use mobile devices and cloud-based technology, there are going to be more breaches.
So I think there will be increased OCR breach enforcement, but I also think they learned a lot from the audit sampling (150 entities) and will apply those lessons going forward. I think it’s going to depend on the OCR budget and what they have to spend on an organization going out and doing the audits.