- Covered entities should not be afraid to regularly review OCR HIPAA guidance and ensure that they remain compliant, even as they add new technologies into the daily workflow, according to OCR Senior Advisor for HIPAA Compliance and Enforcement Iliana Peters.
Peters presented a HealthITSecurity.com webcast earlier this week, discussing key areas of HIPAA compliance such as vendor risk management, business associate agreements, and the importance of ongoing risk assessments.
Covered entities must review their policies and procedures, and make necessary updates as needed. This includes having an updated risk assessment, proper employee training, and documented business associate relationships.
Peters also broke down the key differences between an OCR HIPAA audit investigation and an OCR investigation stemming from a potential data breach.
“The difference is really the purpose of the inquiry and the instigating event,” Peters stated. “Any particular investigation that OCR does will be generated by one of several circumstances: either a complaint is field with us or we start a compliance review that has started as a result of a breach report, news report, or a referral from another agency.”
OCR has broad authority to begin what we call compliance reviews, she added. This essentially includes any review of the compliance activities of an entity based on any type of instigating event or potential report.
“The audit program is really more focused on determining compliance in the industry more generally,” Peters explained. “As for now, it isn’t really meant to result in corrective action, technical assistance, settlement agreements, or civil monetary penalties. It’s really just for the purposes of trying to figure out how our industry is doing from a compliance perspective and what tools and guidance we need to provide or what best practices we can share.”
“That’s our current approach to our audit program,” she continued. “That’s how we’ve approached the last two phases we have undertaken after the passage of the HITECH Act, which included the audit requirement. How we move forward in the future, is still a question that is open for our office and is something we’re looking at as we move forward in the audit program.”
Peters then touched on going beyond HIPAA privacy notices when changes occur with an EMR vendor that is performing research on behalf of a covered entity. Peters stressed that she could not provide a legal or advisory opinion, but that covered entities need to ensure they understand their relationship with any business associate.
“If you’re engaging a business associate for any purpose, whether or it’s for purposes of helping you do research as a covered entity or it’s doing back office billings functions, supplying cloud services, or supplying storage services for your electronic data, etc., you do need to ensure you have a really good business associate agreement in place with that BA,” Peters said.
READ MORE: The Role of Risk Assessments in Healthcare
Covered entities need to understand how a business associate is going to protect its data, she maintained. At the end of the day it is the covered entity’s data. It might not only be patient data that has really important privacy concerns, but it could also be intellectual property.
“You really need to ensure you understand how that entity is going to protect the data that you hand over or that it creates for you,” she said. “You need to know how it’s going to notify you in the case of not only a breach but also a security incident. If they have a security incident that doesn’t necessarily rise to the level of a breach, how are you going to deal with that? If there is in fact a breach, who’s going to do the notifications and when?”
The Privacy Rule does not necessarily require that any one particular entity provides notifications, she added, but the covered entity is ultimately liable for making those notifications. If the covered entity wants the business associate to do that, then that’s something the organizations should work out before a breach occurs.
“Once that 60 day [notification] clock starts ticking, any business associate breach is attributed to the covered entity during that 60 day period,” Peters warned. “If your business associate doesn’t notify you until day 59, it’s going to make it very difficult for you to deal with any particular breach notification situation in a timely manner.”
“That’s the case whether it’s notifications to OCR, individuals, or to the media, which are all required in cases where more than 500 individuals are affected,” she continued. “It’s really important that in any business associate relationship you understand the purpose for the relationship. If it’s research, cloud computing, billing, document storage, document destruction, whatever the relationship is with your vendor, you must understand what the safeguards are that need to be in place on that data.”
That way, the data that the business associate is holding, creating, or transmitting, the covered entity knows what types of safeguards need to be in place to keep that information secure.
Organizations also need to know what kind of responsibilities that business associate is going to have. How are they going to flow those safeguards downstream?
“You need to think about the life cycle of the data just as you do with your risk analysis in any business associate relationship and ensure that you understand: okay, what are we handing over? What are the risks to this data? How are we expecting our BA to protect it? What’s going to happen when there’s a breach?”
Peters added that covered entities also need to think about what happens at the end of the relationship. How will you get your data back? How are you going to ask that business associate to destroy that data?
“These are all issues that you should look at in any business associate relationship,” she concluded. “We have a bunch of guidance on our website about business associates, including sample business associate provisions. Our cloud guidance walks through these as well. Any research questions, I would refer you to guidance we did with the National Institute of Health, on issues specific to research.”