HIPAA Vendor Assessments

HIPAA Analytics offers healthcare providers, vendor (Business Associates) due diligence consulting to ensure vendors meet required levels of HIPAA privacy and security. The assessment process is generally customized to meet provider requirements that focus on the nature of the vendor services, business process, types of data, and technology that support the provider. Depending on the scope of the assessment, project tasks may include;

  • Developing a due diligence vendor questionnaire and supporting the vendor completion.
  • Providing validation of questionnaire responses.
  • Providing ongoing activities related to the development, implementation, maintenance, and adherence to the vendors policies and procedures covering the privacy and security of patient protected health information (PHI) in compliance with federal and state laws.
  • Collaborate with vendor business and technology departments to define and develop compliance policies and procedures in connection with provider/vendor service agreements.
  • Coordinating and communicating due diligence requests with contacts within the vendor business units and other third-party service providers
  • Evaluate and score due diligence materials related to a vendors HIPAA privacy and security compliance program.
  • Work closely with vendors to remediate any gaps or weaknesses related to a vendor’s compliance program.
  • Provide training to vendor business units related to the requirements for complying with the provider contract and business associate agreement.
  • Review, revise and, at times, draft policies, procedures, and guidelines to ensure business processes are in compliance with provider and vendor program.
  • Develop and maintain reports to communicate to provider compliance issues found or non-compliance with the vendor compliance program.
  • Develop and/or enhance tools to assist vendor in complying with provider contract and vendor business associate agreement.

Contact us for more information on HIPAA vendor assessments and services.

Based in Minneapolis/St. Paul, MN we are centrally located to serve clients anywhere in the nation.

 

 

HIPAA “Desk Audit” for Small and Mid-Sized Providers and Business Associates

HIPAA Desk Audit

HIPAA Analytics Desk Audit is a valuable and cost effective way to receive an assessment of current HIPAA privacy and security compliance efforts for small to mid-sized providers and business associates. The Desk Audit is conducted remotely, applying risk analysis guidance methods of the Office of Civil Rights (OCR) Audit Program Protocol and guidance from the National Institute of Standards and Technology (NIST) in assessing provider or business associate HIPAA privacy and security documentation. The Desk Audit covers the HIPAA Privacy Rule, Security Rule and Breach Notification Rule.

Document Collection and Compliance Clarification

The Desk Audit is accomplished through a comprehensive compliance document review and a clarification worksheet, which allows the audit participant to detail specific information regarding the implementation of its HIPAA privacy, security and breach notification requirements. At the conclusion of the Desk Audit, the provider or business associate will receive a preliminary report outlining findings and recommended remediation efforts to address compliance weaknesses. As a part of the remediation efforts, HIPAA Analytics will offer actionable guidance on improving the compliance program.

Because no on-site review of audit participant facilities is required, the Desk Audit is streamlined by collecting participant documentation and clarification input to cost effectively assess current HIPAA privacy and security compliance levels.

Contact us to learn more on how your organization can obtain a cost-effective assessment of its HIPAA privacy and security compliance level.

Based in Minneapolis/St. Paul, MN we are centrally located to serve national clients.

Data Breach Prevention and Notification Plan

In today’s expanding HIPAA compliance environment, staying on top of privacy and security regulations amended by the recent HITECH Act can be daunting. For example, one new regulatory requirement includes establishing data breach notification requirements for HIPAA covered entities and their business associates. The challenge for healthcare organizations in this provision alone becomes the process of measuring exposure to a data breach, developing policies and procedures to reduce exposure and developing a data breach incident plan to help minimize risk.

Need for Compliance Support
While the process of implementing new data breach requirements appear simple enough, most healthcare organizations admit they are not equipped to meet new data breach requirements. In fact, a recent study[1] on Patient Privacy and Data Security by the Ponemon Institute reports a key takeaway…”Most healthcare organizations experience undetected breaches of patient data due to lack of preparation and staffing. Healthcare organizations in our study told us they have inadequate resources (71 percent), few (if any) appropriately trained personnel (52 percent) and insufficient policies and procedures in place (69 percent) to prevent and quickly detect patient data loss.”

Full Impact of Data Breach
According to another Ponemon Institute study[2] , the data breach incident cost to U.S. companies is $202 per compromised customer record in 2008. Cost factors include, expensive outlays of investigative and administrative expenses, customer defections, opportunity loss, reputation management, and costs associated with customer support such as information hotlines and credit monitoring subscriptions.

Reducing Data Loss: People, Process and Technology
In response to the potential negative effects of a data breach, healthcare organizations continue to upgrade their technology, yet according to Rick Kam, president of ID Experts, a data breach solutions company, explains in a recent data breach press statement[3] that, “Hardly a day goes by without news of some type of data breach being reported. Data breach incidents are growing in frequency and severity, while regulatory requirements for data privacy protection and incident notification are becoming more stringent. Although organizations entrusted with PII and PHI are making investments in technologies such as encryption and data loss prevention (DLP), none of these are “silver bullets” that will eliminate data breach risks. Despite the focus on failure or lack of adequate security controls within organizations, a far more significant and common portion of these events are simply the result of staff’s lack of awareness and/or compliance to internal security policies and lax practices to safeguard sensitive information.”

To be sure, any healthcare organization is complex, with countless internal and external data points touched by people, processes and technology. To achieve privacy and security assurance of data integrity a thorough analysis of “all” data points is key to a successful compliance program.

How We Can Help
Our data breach prevention audit examines PHI handled by people, processes and technology. Our audit will inventory PHI, evaluate policies and procedures, examine staffing roles, review business processes, conduct a security evaluation and upgrade training and awareness programs as needed.

[1] Benchmark study on patient privacy and data security, November 2010, Ponemon Institute, sponsored by ID Experts.
[2] Fourth Annual US Cost of Data Breach Study, January 2009, Ponemon Institute.
[3] Data breach risks and privacy compliance: The expanding role of the IT Security professional, Data Breach Press 2010, ID Experts.

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us

President Signs Red Flags Rule Clarification Act Into Law

The “Red Flags” Rule, in effect since January 1, 2008, requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in their day-to-day operations, take steps to prevent the crime, and mitigate the damage it inflicts. By identifying red flags in advance, organizations are better equipped to spot suspicious patterns when they arise and take steps to prevent a red flag from escalating into a costly episode of identity theft.

The Red Flag Program Clarification Act of 2010 was the result of continued confusion over which businesses were required to implement Red Flags Rule Programs designed to prevent and mitigate the risk of identity theft by the end of the year. The Red Flags Rule is regulated by the Federal Trade Commission (FTC).

The bill amends the original definition of “creditor” that the FTC was instructed to use in writing the regulation. The bill limits the definition of a “creditor” under the Fair Credit Reporting Act to only those entities that use consumer reports, furnish information to consumer reporting agencies, or advance funds to or on behalf of a person. This definition in effect excludes law firms, health care practices, retailers, utility companies, telecommunications firms, automobile dealerships, and other small businesses from complying with the Red Flags Rule. The purpose of the limitation was to ensure that the Red Flags Rule covers creditors who pose the highest risk for identity theft, including creditors which use consumer reports, furnish information to consumer reporting agencies, or loan money to individuals.

For healthcare organizations that have developed and implemented the Red Flags rule, experts point out that you still have a duty to safeguard the confidentiality of protected health information, and an organization that had a policy in place and then stopped using it because of a relaxation in the law may be particularly vulnerable to claims that it could have prevented someone’s identity theft and didn’t. We recommend reviewing your policies and procedures regarding identity theft prevention.

You can find practical tips on spotting the red flags of identity theft, taking steps to prevent the crime, and mitigating the damage it inflicts. Learn how to put in place your written Identity Theft Prevention Program at http://www.ftc.gov/redflagsrule

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us

Business Associate Strategy and the HITECH Act

Expanded Scope and Enforcement of HIPAA

Whether you are a hospital, insurance company or a vendor to healthcare, recent federal legislation has dramatically changed the rules regarding privacy and security compliance.

On February 17, 2009, President Obama signed into law the American Recovery and Reinvestment Act of 2009 [PDF], which contained provisions comprising the Health Information Technology for Economic and Clinical Health Act, or HITECH Act (“Act”). The Act makes sweeping changes to the privacy and security regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

The Act imposes additional privacy and security rules on business associates. For example, The Act provides for the business associate’s compliance with the terms of the business associate agreement a direct requirement of HIPAA. The Act also applies the administrative, physical and technical safeguard requirements of the security rule to business associates, including obligations related to policies, procedures and documentation.

Additionally, new data security breach notification requirements within the Act now apply to both covered entities and business associates, requiring patient notification of any unauthorized acquisition, access, use or disclosure of their unsecured protected health information. Moreover, increased civil and criminal penalties now apply to violations of HIPAA privacy and security requirements and authorize state attorneys general to bring civil actions on behalf of state residents adversely affected or threatened by such violations.

Healthcare organizations are faced with a growing trend of sharing confidential health information with vendors (business associates) in order to meet critical business needs, yet from a risk management perspective, little if any measurement of business associate compliance knowledge is evaluated, leaving little assurance of sound compliance practices by the business associate handling patient confidential health information.

Privacy violations and security data loss by business associates and their sub-contractors have also become a strategic liability issue for healthcare organizations. For example, new security breach notification rules of the require patients be notified of any unauthorized acquisition, access, use or disclosure of their unsecured protected health information. New security breach notification requirements apply to covered entities and require business associates to notify covered entities of any unauthorized acquisition, access, use or disclosure of their unsecured protected health information they hold on behalf of the covered entity, including the identity of each individual who is the subject of the unsecured protected health information.

According to the Ponemon Institute [PDF], a privacy and information management research firm, the data breach incident cost to U.S. companies is $202 per compromised customer record in 2008. Cost factors include, expensive outlays for detection, escalation, notification and response, along with legal, investigative and administrative expenses, customer defections, opportunity loss, reputation management, and costs associated with customer support such as information hotlines and credit monitoring subscriptions.

Bottom line. Make sure you have updated business associate agreements* in place by February 17, 2010.

*To view a sample HITECH Act Business Associate Agreement, view the RECENT ARTICLES section above entitled Healthdatamanagement.com—February 9, 2010 — New Model BA Agreement, or simply click here to go directly to the site.

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us