HIPAA Business Associate
A HIPAA Business Associate (BA) - VirtualScrivener is an organization that provides a service to a covered entity that requires them to create, store or disclose protected health information (PHI). HIPAA sets standards for how this type of identifiable information should be kept private and secure by all those who access it within the healthcare industry. Therefore, since BAs use PHI in the course of their work just as covered entities do, they too are required to comply with the many requirements of HIPAA.
One of the main challenges with business associate HIPAA compliance is that oftentimes organizations are not entirely aware that they are considered BAs by the law. Covered entities have always been conscious of their need to follow the compliance requirements of HIPAA but business associates have not always been as aware. We as a business associate are held liable for breaches, it is important and we take all the necessary steps to guarantee HIPAA compliance. Obtaining HIPAA compliance tells covered entities and patients that you can be trusted to protect their information carefully.
HIPAA compliant Checklist
Determine, execute, and comply with valid business associate agreements. Business associate agreements that essentially require us to maintain the privacy of PHI; limit the business associate’s use or disclosure of PHI to those purposes authorized by the covered entity; and assist covered entities in responding to individual requests concerning their PHI.
Complying with Privacy rules.The basic privacy rules are relatively simple: covered entities and their business associates may not use, access, or disclose PHI without the individual’s valid, HIPAA-compliant authorization, unless the use or disclosure fits within an exception. At virtualScrivener, we always consult with the covered entity for any further operation.
Performing a security Rule risk analysis with HHS developed SRA tool. At VirtualScrivener, we periodically review and update risk analysis with SRA tool developed by HHS.
Security Rule safeguards. We have implemented the specific administrative, technical and physical safeguards required by the Security Rule with a checklist created by in-house HIPAA auditor.
Written Security Rule policies. As a business associates we adopt and maintain the written policies required by the Security Rule. Our dedicated HIPAA auditor performs periodic checks and maintain records for it based on the policies created.
Respond immediately to any violation or breach. At VirtualScrivener, we will want to respond immediately to any real or potential violation to mitigate any unauthorized access to PHI and reduce the potential for HIPAA penalties. Prompt action may minimize or negate the risk that the data has been compromised.
Timely report security incidents and breaches. We notify the covered entity for certain threats if anything involved to PHI. First, we report breaches of unsecured protected PHI to the covered entity so the covered entity may report the breach to the individual and HHS.Second, we report uses or disclosures that violate the business associate agreement with the covered entity, which would presumably include uses or disclosures in violation of HIPAA even if not reportable under the breach notification rules.Third, we report “security incidents,” which is defined to include the “attempted or successful unauthorized access, use, disclosure, modification, of PHI or interference with system operations in a PHI system.
Maintain required documentation. We maintain the documents required by the Security Rule for six years from the document’s last effective date. Although not required, documenting other acts in furtherance of compliance may help negate any allegation of willful neglect.