Are covered entities required to prevent all risk of incidental use or disclosure of protected health information?
Covered entities are not required to eliminate all risk of incidental use or disclosures. The Privacy Rule does require covered entities to adopt and implement reasonable safeguards to limit incidental uses or disclosures.
What does the HIPAA Privacy Rule require health care providers to do?
- Secure patient’s medical records and other PHI
- Notify patients about his or her privacy rights and explain to the patient how their health information can be used.
- Establish, follow, and document privacy procedures for the health care provider’s organization.
- Administer HIPAA training to employees to ensure understanding with both Federal and state laws, as well as the organization’s privacy procedures.
- Appoint a Privacy Official to manage the organization’s privacy program.
Can a covered entity hire a business associate to dispose of PHI?
Yes, provided the business associate enters into a contract with the covered entity. The contract should require that the business associate dispose of the PHI in accordance with Federal and state laws.
Are covered entities required to certify organizational compliance with Security Rule standards?
No. Currently, there are no certification bodies accepted as the gold standard. Third party certification processes can help ensure BAs continuously meet a baseline level of HIPAA compliance, but they are not always comprehensive or accepted by Covered Entities. However, the Security Rule evaluation standard does require covered entities to perform a periodic technical and non-technical evaluation to test whether the organization’s security policies and procedures meet security requirements. Such evaluations can be performed internally or externally.
What is the difference between Security Risk Analysis and Risk Management?
Risk management is the process and activities that organizations conduct to implement the required security measures in order to reduce an organization’s risk of losing or compromising its e-PHI. Risk analysis is the assessment of the risks and vulnerabilities that could negatively impact e-PHI.
What is the HITECH Act?
The Health Information Technology for Economic and Clinical Health (HITECH) Act was designed to promote the adoption and meaningful use of health information technology. It was enacted as part of the American Recovery and Reinvestment Act (ARRA) on February 17, 2009.
The main changes of HITECH include:
- HIPAA covered entities and business associates must provide notification following a breach of unsecured protected health information (PHI)
- Responsibilities of Business Associates under the HIPAA Security Rule are extended
- Provides individuals with a right to obtain their PHI in an electronic format where the covered entity has implemented an electronic health record (EHR) system
- Strengthens the civil and criminal enforcement of the HIPAA rules
What is the Omnibus Rule?
In January 2013, HIPAA’s Omnibus Rule updated the Security Rule and Breach Notifications portions of the HITECH Act. Under the Omnibus Rule, the number of businesses that must be HIPAA compliant expanded and business associates became directly obligated to comply with HIPAA’s security rule.
What are Business Associate Agreements?
A Business Associate Agreement (BAA) is a contract between a HIPAA covered entity and a HIPAA business associate which protects PHI in accordance with HIPAA guidelines. BAAs describe how the business associate is permitted and required to use PHI and appropriate safeguards for PHI.
Are subcontractors of Business Associates required to comply with HIPAA?
If subcontractors provide services for the covered entity or business associate involving PHI then a BAA should be executed and they are directly obligated to comply with HIPAA’s Security Rule.
Back to EMRSOAP Homepage