In the 1st quarter of 2013, 40 percent of all HIPAA breaks involving the revelation of PHI that affected over 500 people were the consequence of the acts of BAs of HIPAA–protected entities. The problem seems to be increasing because throughout the preceding 4 years BAs caused 30 percent of all registered HIPPA security breaks.
This fact hasn’t been overlooked by the Division of Health and Human Services. A fresh rule has been created which makes BAs answerable for their acts – or deficiency of them – to keep the secrecy of PHI. Bas, as well as their contractors, are now included in the latest modification to HIPAA; the Omnibus Law.
According to the new rule, the OCR has the authority to probe BAs for HIPAA conformity issues and BAs are believed to be involved in the forthcoming HIPAA checks. If the OCR finds out HIPAA conformity issues, BAs will be held answerable irrespective of whether or not a data breach has occurred and penalties will be imposed directly by the OCR. Prior to the Omnibus Rule became effective, it would be the HIPAA protected entity that would be held answerable and compelled to discuss a settlement with the OCR.
Although BAs can be held accountable for non-compliance problems, a HIPAA-covered entity should also execute its duties to safeguard PHI and this extends to making sure that the individuals or companies allowed access to PHI – or who affects the data in some way – uses the necessary technical, physical, and administrative protections to keep PHI confidential and private. The OCR can still penalize healthcare companies for HIPPA conformity issues pertaining to their BAs.
Protections required under HIPPA comprise safeguarding the data center, servers as well as computers on which the information is saved. It’s necessary that no unapproved people can get access to the actual devices where the information is saved.
Administrative methods should also be used, which include carrying out staff coaching on data safety as well as HIPPA rules, applying data protection plans, carrying out risk assessments as well as auditing processes.
Technical safeguards must be used on networks and servers, including the data encryption services, installation of firewalls, file integrity checking and applying a multifaceted security system to safeguard data saved on networks, terminals, and moveable devices. This extends to actual as well as cloud hosting, which is frequently subcontracted to IT businesses.
A failure to apply the suitable data safety measures, either by a HIPAA protected entity or its BAs and contractors, can see considerable penalties issued. It’s therefore for the benefit of any entity protected by HIPAA to carry out a complete risk analysis as well as to take the suitable actions to safeguard the secrecy of patients. They should also make certain that any BA that is hired to provide a service or perform work also agrees to abide by HIPAA rules and signs a document to that respect.