Complying with HITECH Act of 2009 for Data Security - January 15, 2010
Orlando Florida -- As of February 17, all business associates (BAs) must comply with the HIPAA security rule and parts of the privacy rule or face stiff penalties.
It's time to do a last-minute check to make sure they are.
Know your BAs. Most importantly, double-check your list of BAs, says Brian McCarthy CISSP, CISM, and President of Sencilo HealthIT solutions, LLC in Lake Mary Florida.
Make sure that anyone who could qualify as a BA has been accurately identified as a BA. For example, your organization may not realize that that a consultant that has access to personal health information (PHI) actually qualifies.
Make sure organizations you have identified as BAs actually are, says Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA Boot Camp in Casa Grande, AZ.
In the early days of HIPAA, many organizations decided to err on the side of caution and made pretty much everyone sign a BA contract, says Ruelas. But that decision may come back to haunt them with this new compliance date pending.
Gauge your BAs' readiness. The next item on your last-minute checklist is to make sure that your BAs know that they are expected to comply with these regulations. Some organizations, even this late in the game, might not even know that they are required to be HIPAA compliant, says Ruelas.
Don't just ask your BA if they are HIPAA compliant, ask them specific questions to gauge their readiness, such as how they will handle specific scenarios, says Borten. Some BAs also may not understand the full extent of what they are now required to do, says Ruelas. For example, they might know they have new breach notification requirements, but are unaware of their other responsibilities, says Ruelas.
Make sure your BA contract language is up to date. Once you've checked up on your BAs, make sure you have legal contracts that include all the language required by the privacy and security rules and HITECH Act.
Put expectations in writing. For example, make sure that the covered entity and BA agree on action parameters when a breach is discovered. Spell out in the contract how long the BA has to report a breach to your organization once it is discovered.
Requiring that rapid notification will ensure that you are being notified in a timely manner and also that you can work with the BA to determine the cause and fallout from the breach by the time you are required by federal law to report it, he says.
Brace for contract updates. Be prepared to update the contract next month when the government is expected to release new breach notification guidance. Many hope that this guidance will clear up some lingering questions related to how elements of the HITECH Act should be incorporated into BA agreements.
Hire an attorney who knows HIPAA. If you are hiring, look for an attorney who specializes in HIPAA to review your BA contracts. Borten says she's seen many a competent attorney include contract provisions that were not HIPAA compliant simply because the rule is complex and requires someone with specialized knowledge to interpret and apply it correctly.
Beware of subcontractors. Include language regarding subcontractors. Know to whom your BAs subcontract work and stay informed on these arrangements, says Borten. Consider requiring the organization to notify you if they are using a subcontractor, particularly one that is offshore. Some organizations go so far as to prohibit BAs from subcontracting work offshore, says Borten.
Don't view BAs as adversaries. "Covered entities and BAs have been partners for years; it is not something that has to cause a divide," says Ruelas. If your BAs need help becoming compliant, help them along. Your organization likely spent a lot of time getting up to speed on HIPAA. Save your BAs some of that work by sharing with them what you've already done.
"It really serves no purpose to say to them figure it out yourself," says Ruelas. Set aside a day and have them come in and talk to your designated privacy officer or security officer.
"You're helping each other out. It is a symbiotic relationship," says Ruelas.
For more information please call (407) 641-5199 or visit us at: http://www.sencilo.com
Why Sencilo HealthIT Solutions
When it comes to your healthcare computing needs, Sencilo HealthIT Solutions's main objective is to provide a turnkey solution that can essentially sustain itself. When you choose Sencilo HealthIT Solutions, you don't just gain a vendor who provides you with technology. You get a business partner who walks with you through every step of the process
Sencilo HealthIT Solutions eHealthcare Architecture: More than technology
With Sencilo HealthIT Solutions eHealthcare Architecture, you can leverage the same productivity tools and technology resources that have transformed business. And you get a full portfolio of services too. By working with Sencilo HealthIT Solutions, you can get:
A dedicated customer team
A website customized for your institution
A full portfolio of robust solutions
Easy setup, implementation and maintenance
Simple ordering and delivery
Technology training
Flexible financing options
Sencilo HealthIT Solutions Professional Services makes it easy
In addition to providing high-quality technology at a low cost, Sencilo HealthIT Solutions Professional Services can help you plan your healthcare computing from the ground up. By working with you from the initial construction phases, we can help you save time and money ÂÂand lead to a truly customized solution.
Sencilo HealthIT Solutions Professional Services offers complete services that include:
Design
Procurement
Installation
Training
Maintenance
Support
About Us
Sencilo HealthIT Solutions is a Florida-based integrator specializing in EHR Cost Cutting storage, security and managed services solutions. Sencilo delivers a comprehensive portfolio of products from best-of-breed hardware and software from multiple manufacturers including Allscripts, VMware, Dell Fujitsu Data Domain, EMC, Hitachi, Symantec, HDS, IBM, Commvault, Xiotech and HP.
Sencilo has offices throughout Florida including: Orlando Lake Mary Daytona, Medical City
solutions include BC DR planning Replication De-Dup De-Dupe iSCSI SAN NAS VMware Security "meaningful use" "meaningful usage" EMC NetApp HP IBM Quantum Compliance VTL Data Domain vs Gartner Magic Quadrant Quadrent LTO Network Backup appliance Data Recovery Backup Health IT Healthcare IT Digital Hospital Allscripts Patient Data electronic health record P4P rules and the HITECH Act PayerView Rankings practice management tools $44,000 in Medicare or $66,000 in Medicaid from the American Recovery and Reinvestment Act eClinicalWorks, Allscripts, NextGen, GE Centricity, and Meditech Electronic Healthcare IT Medical Records EHREHR Clinical Practices eClinicalWorks Allscripts Florida EMR, EHR, electronic medical record, health, records, practice management systems solutions, medication services, PHR Otolaryngology, Orthopaedics, Pain Nuerosurgery, Urology, Ophthalmology, Cardiology, Billing, Appointment Scheduling, clinicalworks, eClinicalWorks, solutions for physicians, hospitals, clinical education and medical services Computerized Patient CPR, Order Entry, CPOE, Document Clinical Information Informatics, Computer-based, SOAP, HIT, Healthcare Encounter Forms, web based, online, clinical rules database, electronic prescribing, e-prescribing, eprescribing, athenaClinicals, certified EMR, certified EHR, HITECH Act VAR Reseller Dealer hipaa privacy doctor, healthcare performance management, data security, hosting, arra, free, InterFAX, MyWay, HIPPA, EasyPayMedicare, MedicAID, SureScripts, FNC, billing, superbill iMedica Tiger on Windows, eprescribe pqri simple practice management revenue cycle e-cw e-clinicalworks greenway emds nextgen ge sage athena epic klas Dragon NaturallySpeaking speech recognition Google Health, Microsoft Healthvault Health Internet certified "meaningful use"
