THE DIGITAL PRACTICE

10 questions to help you meet the next HIPAA deadline

Understanding the requirements for a business associate.

By Peter Polack, MD, FACS

According to HIPAA regulations slated to go into effect next month, physicians must have a compliant agreement in place for business associates — any organization that uses or discloses patient health information to provide administrative services. They can include health information exchanges, practice management consultants, or even lawyers.

A business associate agreement is an assurance these groups will safeguard your data. Business associates are directly liable under HIPAA rules.

What I offer here is just a guideline. You should meet with your own lawyer before you develop a HIPAA-compliance plan for vendors.

Practices are not responsible for business associates or their subcontractor’s compliance, but we are responsible for exclusively engaging services of HIPAA-compliant vendors.

COMPLIANCE ASSURANCES

Here is a starter list of HIPAA compliance assurances we’re asking our business associates to discuss and document with us. You can use this list as a guide.

1. Do they enter into “compliant” business associate agreements with any subcontractor or third party with whom they share our personal health information to fulfill their obligations to us as a covered entity?

2. Have they designated a HIPAA security officer or privacy officer, or both, with 24/7 contact information?

3. What is their process for writing, approving, distributing, evaluating, updating and archiving appropriate protection policies and procedures for personal health information?

4. What plans do they have for incident response and management and notification for breaches?

5. Do they have a HIPAA-conformant risk analysis?

6. Do they have tested plans for business continuity, disaster recovery, emergency management, and backup and restore?

7. Regarding work force training: who was trained, when and what did the training entail? This must be stated not only in terms and concepts, but several states require specific levels of training based on job roles and the level of exposure risk of each job.

8. How do they perform compliance gap assessment?

9. Do they have a plan for corrective action and regular status review dates?

10. How are they addressing state-specific privacy requirements for personal health information? OM

Peter J. Polack, MD, FACS, is co-managing partner for Ocala Eye, a multi-subspecialty ophthalmology practice located in Ocala, Fla. He is also founder of Emedikon, an online practice resource for physicians and administrators. His e-mail is ppolack@ocalaeye.com