With the Department of Health and Human Services (HHS) publishing the Omnibus Rule to the Health Insurance Portability and Accountability Act in 2014 (HIPAA), heightened scrutiny of entities’ compliance systems and internal controls become necessary. Self-policing for business associates that were in place before the HIPAA Privacy, Security, and Enforcement Rules was modified by the Health Information Technology for Economic and Clinical Health Act (HITECH), which was no longer the case. The definition of a business associate was expanded to include subcontractors. As the result, many service organizations providing services to covered entities and business associates fell within the broadened compliance scope. Managers, boards, and legal counselors of such service organizations now had to refocus their energy and attention on demonstrating the existence of compliance mechanisms in place in order to avoid monetary penalties and potential indemnification claims. Business associates who were subject to contractual obligations to the covered entities only prior to the HITECH amendments now had direct liability for a specific set of obligations under the HIPAA Privacy, Security, and Breach Reporting Rules.
In my role as an Associate Counsel for a company that handles information falling under the definition of Protected Health Information (PHI) as defined under HIPAA and HITECH, I was presented with the task of identifying steps that had to be taken in order for the company to meet all of the HIPAA and HITECH requirements and avert risks through the implementation of necessary measures.
I had to conduct a thorough risk analysis of current practices, technology, and controls to identify all potential risks and vulnerabilities; develop necessary privacy and security manuals laying out the processes involved in maintaining confidentiality, integrity, and availability of the PHI, including physical, technical and administrative safeguards; develop training and risk mitigation policies and procedures; review and draft contracts and agreements with business partners addressing data sharing, data transmittal, and proper disclosure, adhering to the minimum necessary requirements. An assessment and decision had to be made on the technology to be used to protect electronic PHI from potential threats and attacks, taking into account considerations and requirements of encryption, while also confirming the adequacy of various software programs already in place.
Since both HIPAA and HITECH form a complicated regulatory scheme with many elaborate requirements, understanding the rules and developing policies and procedures to help the company become compliant was not an easy task. Among other things, HIPAA sets standards for accessing and handling PHI, requires particular notice of privacy practices, mandates accounting of disclosures and breaches, imposes employee and staff training obligations, as well as the execution of business associate agreements with vendors, business partners, and subcontractors involved with PHI. With the Privacy Rule setting the standards for the use and disclosure of Protected Health Information (PHI) and the Security Rule establishing standards and procedures for securing electronic PHI from unauthorized access, I realized that while implementing policies and training employees could present a challenge, complying with the Security and Breach Notification Rule would pose an even greater obstacle. The comprehensive and accurate administrative, physical and technical safeguards had to be developed and established in order to ensure the confidentiality, integrity, and security of electronic PHI pursuant to the Security Rule.
Obtaining the HIPAA Compliance training and becoming certified as HIPAA Privacy and Security Expert through Supremus Group’s certification program proved indispensable for me in performing all of the tasks described above. In addition to providing me with knowledge and guidance, the Supremus Group program also offered many invaluable tools such as worksheets, reference materials, and templates, which helped me to develop written policies, procedures, and agreements for internal use and for use with business partners. Supremus online support service and access to online resources helped to painlessly navigate through various changing situations and challenges.
The opportunity to combine the roles of associate counsel and certified HIPAA privacy and security expert provided me with the ability to bring legal expertise, training, and judgment to address specific compliance challenges and to spot potential compliance issues before they surfaced. Occupying such dual positions helped to make the compliance function an essential component of the company’s operations. In addition, legal training involves a distinct set of skills that proved to be instrumental in compliance-related determinations and negotiation of Business Associate and Subcontractor agreements.
By committing resources to the in-house training and certification and integrating the HIPAA compliance function within the company’s internal operations rather than outsourcing it, the company made an invaluable long-term investment ensuring a productive, effective and self-correcting mechanism in place.
Olga Sher, JD, CHPSE
Associate Counsel