877.334.8512 |      

EHR and practice management for mental / behavioral health

Are Your Business Partners HIPAA Healthy?

by Donna Koger, 7.5.18

According to the Omnibus Rule of 2013, “The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate [BA] that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.” 

How do you know if your business partners are HIPAA compliant and that they are safeguarding YOUR PHI? It is the responsibility of the Covered Entity (you) to be sure anyone accessing your data is in full compliance.

The HHS.GOV website states that, “If a breach of unsecured protected health information occurs at or by a business associate,the business associate must notify the covered entity following the discovery of the breach.” So who is ultimately responsible for the breach, the Covered Entity or the Business Associate? The answer in most cases is BOTH. Whether compromised from within your system or the system of a business associate, your organization can be liable for up to $50,000 per violation per day as a result of any breach of your patient data. And that’s just HHS penalties. That doesn’t include civil action, cost of mitigation, and loss of patient trust.

So how can you be safe?

The HHS makes it clear that covered entities must ‘obtain satisfactory assurance’ that each BA safeguards the patient data it receives or creates on behalf of the covered entity. That means covered entities must put forth a good faith effort to assist their business associates in achieving HIPAA compliance.

When you have a Business Associate Agreement (BAA) with your partners, it should specifically state that the partner is responsible for any breaches of your PHI and that they should be fully HIPAA compliant in their dealings with your organization. To be sure YOUR organization is fully compliant, have you . . .

  • Identified all Business Associates?
  • Obtained Business Associate Agreements with all Business Associates?
  • Audited your Business Associates to ensure that they are HIPAA compliant?
  • Set up reporting documentation to prove your due diligence?

Don’t reinvent the wheel, check out BAA templates available on the internet. HHS.gov offers good advice on preparing BAA documents here: https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html

Resources: 

https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html

Donna Koger is the HIPAA and Security Compliance Director of PIMSY EHR. For more information about electronic solutions for your practice, check out Mental Health Practice Management.

 

Donna Koger is the HIPAA and Security Compliance Director of PIMSY EHR. For more information about electronic solutions for your practice, check out Mental Health Practice Management.

Kudos from Clients

  • Seth H.

    “PIMSY more than pays for itself by streamlining my office, improving efficiency and reducing billing times. I would recommend PIMSY to anyone looking for a good EMR company that will help you implement its program and help you with any questions you have along the way.”

    ~ Seth H., Business Owner

  • Karen B.

    “Love PIMSY! So much quicker to complete notes and easier for everyone working with clients to know current authorizations and track units.”

    ~ Karen B., Therapist

  • Dr. Carmen L.

    “I am extremely appreciative and am so glad I decided to go with PIMSY versus the other options I was considering. I was singing your praises to a colleague of mine today who is feeling overwhelmed with her paper process. I highly recommend all of you.”

    ~ Dr. Carmen L., Program Director

  • Kim T.

    “We are now functioning at a 50% faster recovery rate for money and a 50% lower denial rate. You should really give the PIMSY team time to demonstrate for you personally.”

    ~ Kim T., Business Director

Subscribe To Our Newsletter

Subscribe to the PIMSY newsletter
 
What topics are you most interested in?