What does this mean for covered entities and business associates alike? Depending on where you are in the compliance process, It’s time to either update or draft a new contract and resign with your current vendors. Or, it could be time to search for a new hosting provider if your current HIPAA hosting provider isn’t able to sign a business associate agreement or meet HIPAA compliance.
Business Associate Agreements
According to the HHS, the contractual terms listed in the business associate agreement must include:
Establish permitted/required uses and disclosures of protected health information (PHI) by the BA
Provide that the BA will not use or disclose information other than as permitted, or required by the contract, or required by law
Conduct and document an initial risk assessment/analysis in order to check where your business is at when it comes to implementing HIPAA security safeguards, and where you need to fill in the gaps. This list of the Nine Components of a HIPAA Risk Analysis provides a good high-level overview of what you need to include in your document.
Research and understand the HIPAA standards, and your role in handling PHI. As a HIPAA compliant hosting provider, Online Tech never accesses PHI or data on clients’ servers, we only provide the secure infrastructure necessary to protect sensitive information in a fully compliant environment.
Draft a business associate agreement (BAA) that clearly defines your role and obligation in handling a client’s sensitive data. Include clauses about contract termination, data ownership and breach notification.
Ideally, invest in an independent HIPAA audit of your business against the OCR HIPAA Audit Protocol in order to have the assurance and verification that your policies, procedures and services are in compliance. If you need guidance on which IT components can help you achieve compliance, read our HIPAA FAQ.
Train all of your employees in HIPAA compliant policies and procedures as they affect the day-to-day operations of your company and according to the level of security needed by position – an employee that transports sensitive data will need more specific guidelines to stay compliant and prevent a data breach. Document proof of employee training and awareness, and update it every year.
Appoint a Risk Management and Security Officer position in your company to implement, manage and oversee compliance and ensure everyone is following the documented policies and procedures, preferably someone with a strong technical background.
Need help achieving compliance? Learn about the specific HIPAA requirements for HIPAA hosting with IT vendors with our HIPAA Compliant Hosting white paper. With 36 pages of statistics, diagrams and researched information sourced from engineers and a CHSS (Certified HIPAA Security Specialist), this white paper is your complete guide to HIPAA hosting.