Wednesday, October 19, 2016

InfoScary (Part 4a) : Medical Issues, Personal Details




Today, let's revisit the scary world of government regulation and personal health information. This September article in the Indiana Lawyer sums things up quite nicely:"Business associate classification and HIPAA liability for lawyers" --
  • "When business associates such as law firms come in contact with PHI from covered entities, they have to comply with regulations that include using the information only for the purposes for which they were engaged, safeguarding the information and helping the covered entity comply with its obligation under the privacy rule."
  • "PHI is interpreted broadly and includes any information about health status, provision of health care or payment for health care that can be linked to a specific individual. It includes any part of a patient’s medical record or payment history. Business associate agreements (BAA) are contracts between HIPAA-covered entities and business associates. BAAs are used to protect PHI in accordance with HIPAA guidelines."
  • "What is the impact of the business associate classification on lawyers and law firms?  The lawyer qualifies if he or she provides legal services to such covered entity other than as a member of the workforce of the entity... The commentary in the final rule provides insight into what qualifies an entity as a business associate by stating, 'a person becomes a business associate by definition, not by the act of contracting with a covered entity or otherwise.'"
  • "Therefore, liability for impermissible uses and disclosures attaches immediately when a person creates, receives, maintains, or transmits protected health information on behalf of a covered entity or business associate and otherwise meets the definition of a business associate.” If the answer is yes, then lawyers and law firms must ensure compliance with the HIPAA regulatory scheme."
  • "As for the security rule, it mandates that business associates address the following areas about their required security risk management program: administrative safeguards; physical safeguards; and technical safeguards. Business associates must implement security measures to reduce risks and vulnerabilities. For example, one measure provided by the security rule is the identification of a security official who is responsible for the development and implementation of the policies and procedures required for the covered business associate. This individual designated by a law firm manages the implementation of security rule requirements and safeguards. Under HITECH, the government is required to conduct random audits of business associates to determine if they are complying with the privacy, security and breach notification rules of HIPAA. In the event this occurs, the security official will be the person the government initially speaks with."
  • "As a business associate, a law firm must notify a covered entity if unsecured protected health information is breached, used, accessed, acquired, or disclosed in violation of the privacy or security rules. Lawyers and law firms that represent covered entities as clients must comply with all relevant HIPAA regulations. As business associates, law firms must adhere with the requirements established by HIPAA including the required security risk management program consisting of administrative safeguards; physical safeguards; and technical safeguards."
  • "First, administrative safeguards include implementing policies and procedures regarding security and confidentiality of PHI, training new and existing employees on security and protecting PHI, and adopting measures to identify and resolve security violations where individuals improperly access and/or disclose PHI. Second, physical safeguards such as facility access controls, secured floors, networks, offices and computers, security for work stations, and device and media controls should be implemented. Lastly, technical safeguards include computer access control, audit controls, data transmission security, secure password and encryption, network security, set up systems to automatically log off work stations, and assign unique user identifier to identify and track user activity."
  • "In light of this enforcement action and with Phase 2 HIPAA audits underway, law firms that qualify as business associates need to ensure compliance with HIPAA’s business associate provisions by reviewing current business associate relationships and executing written agreements (if not already in place) and by reviewing current policies and procedures related to business associates to ensure there are individuals who are monitoring, negotiating and documenting business associate relationships."

No comments:

Post a Comment