Congratulations! You have a HIPAA-compliant business associate (or subcontractor) agreement in place – now what? How can you implement the agreement without becoming a HIPAA guru?
There are many resources available that offer detailed guidance on risk analysis and implementation protocols (such as the Guide to Privacy and Security of Electronic Health Information published by the Office of the National Coordinator for Health Information Technology and numerous "Special Publications" issued by the National Institute of Standards and Technology (NIST)).
These are terrific resources and can keep a team of IT professionals and Privacy and Security Officers reading and scratching their heads for weeks, but here are a few simple and practical steps you can take to avoid the security incident that may result in a protected health information (PHI) breach.
- Make sure the covered entity knows which individual(s) is authorized to receive PHI at the business associate. If neither the services agreement nor the business associate agreement specifies the person to whom PHI is to be disclosed, make sure the name, title and contact information of any designated recipient is communicated to the covered entity in writing.
- Include a provision in the business associate agreement (or subcontractor agreement) or develop a process whereby the covered entity (or business associate) provides notice, when feasible, prior to transmitting PHI to the designated recipient. Particularly when the transmission of PHI is sporadic or infrequent, provision of advance notice helps heighten awareness of the parties' HIPAA obligations with respect to particular data being transmitted.
- Establish an agreed-upon means of PHI transmission – for example, specify whether transmission will be made via encrypted email, portable device, hard copy, etc. – and document the chain of custody from covered entity to business associate and after receipt by business associate.
- Create a "vault" for PHI received by the business associate that is secured by access codes that are changed periodically and can be deactivated when personnel leave the employ of the business associate.
- Maintain a perpetual inventory of PHI repositories, delegating responsibility to the Security Officer to oversee or authorize repository access rights, review activity, and conduct regular audits.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.