O'Reilly logo

A Guide to IT Contracting by Michael R. Overly, Matthew A. Karlyn

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

175
16
Health Insurance Portability and
Accountability Act (HIPAA) Compliance
CHECKLIST
HIPAA/HITECH Compliance
Health Information Technology for Economic and Clinical
Health Act (HITECH) Act
Civil and criminal penalties
Expanded denition of business assosiactes (BAs)
Who Are BAs?
Working on or behalf of covered entities (CEs)
Providing protected health information (PHI) data to CEs
Vendors contracting with CEs
Fail to Comply with HIPAA
CMPs: $100 to $10,000/violation
Criminal penalties
Mandatory Health and Human Services (HHS) investigation
and assessment
Civil actions by state attorney generals (AGs)
Security Breach Notication
Must notify CEs of unsecured PHI breaches
CEs must notify individuals
CE may need to notify HHS and local media
BAs bear burden to prove reasonable delay in notication
Security breaches of unsecured PHI include unauthorized acqui-
sition, access, use, or disclosure of PHI
Unsecured PHI is not encrypted or destroyed
176  •  A Guide to IT Contracting: Checklists, Tools, and Techniques
CEs must notify patients within sixty days aer discovery of
breach
Date of discovery or date breach should have been discovered
Information BAs provide to CEs following breach
Contractual obligations of BAs to notify on behalf of CEs
Compliance with state laws
BAs’ internal policy for notication
Contractual binding of subcontractors
HIPAA Security Rule
Administrative, physical, and technical safeguards
Specic standards of implementation
Gap analysis for shortfalls
HHS recommends technical safeguards
Subcontractor agreements
Information security due diligence questionnaire
Statutory Liability
Amending noncompliant BAAs
Renegotiate with CEs
BAAs increase in complexity
Indemnifying CEs
Required notication of breach on behalf of CEs
Responsibility for costs of breach
Dra form amendments to BAAs
Minimize negotiation terms not required by law
Reect new obligations of BAs, but protect from liability for sub-
contractor breaches
Additional HIPAA Requirements
Comply with new minimum necessary standards
Use of a limited data set?
Ongoing assessment of what is minimum necessary
CEs must account to individuals of disclosures from electronic
health records (EHRs)
Monitor developing HHS advice
No direct or indirect remunerations to BAs for EHR or PHI
Making recommendations for products or services
Steps For Breach Notication Compliance
Analyze existing policies and procedures
State breach notication requirements?
Health Insurance Portability and Accountability Act Compliance • 177
Designate person to ensure breach investigation and determine
if breach occurred
Outside legal counsel
No unreasonable delay in reporting
Impacted individuals identied
Impacted individuals reported to CE
Employees trained on reporting breaches and handling PHI
Sanctions for employees
Can BA-controlled PHI be secured?
S Encrypted
S Destroyed
Amend existing reporting policies
Seek outside legal review of amendments
Risk prevention and mitigation strategies
Decrease risk of breach?
Insurance covers costs from breach?
Steps for Security Rule Compliance
Perform gap analysis
S Administrative safeguards
S Physical safeguards
S Technical safeguards
Make written policies and procedures for each standard above
Seek legal review of policies
Train employees on requirements
Amendment of BAAs
Dra template amendments
CE may conduct due diligence of BA
Negotiate broad indemnication or cost-allocation provisions
Terms in existing service agreements conict with BAA?
Amend subcontractor agreements
Inventory HIPAA-Related Policies
Current policies facilitate compliance?
Accounting for disclosures made from an EHR?
Minimum necessary disclosures/limited data set?
Prohibition on sale of EHRs or PHI?
Conditions on marketing communications?
Training procedures for personnel?
Review sanctions for employee violations

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required