As of September 23, 2013, ASCs were required to comply with the HIPAA Omnibus Final Rule.
One of the most significant changes to the HIPAA Privacy and Security Rules that went into effect in September involved business associate agreements (BAA), and the rules that govern the relationship ASCs have with their business associates (BA).
"The updated laws expand who HIPAA covers, and created additional responsibilities for ASCs," says Michael F. Schaff, chair of the corporate and healthcare departments and shareholder of Wilentz, Goldman & Spitzer P.A. "Over the past few years, electronic patient health information (PHI) has increased significantly, so there is additional exposure to errors and problems which could lead to potential liability. This potential liability can lead to substantial fines, since these breaches tend to happen is large doses."
He adds, "It is an ASC's responsibility to learn about the new HIPAA laws, including changes to BAAs, and do all they can to protect PHI."
Here are three steps ASCs should take to ensure they comply with the new HIPAA rules concerning BAs.
1. Identify BAs. The rules expanded the number of organizations that could be considered a BA. An ASC needs to have a BAA with every one of its BAs, so an ASC should determine what people and organizations it interacts with that are now considered a BA under the updated laws.
According to HHS, the definition of BA is as follows: a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provide services to, a covered entity.
Some examples of people and entities likely to be considered an ASC's BA is as follows:
• IT service organizations
• Attorney whose legal services involve access to PHI
• CPA firm whose accounting services to a healthcare provider involve access to PHI
• Clearinghouses that translate claims from a non-standard format into a standard transaction on behalf of an ASC and forwards the processed transaction to a payer
• Transcriptionists and transcription service providers
• Outsourced billing and coding firms
2. Properly vet BAs. While BAs can now be held directly liable for committing HIPAA violations, this does not protect ASCs from improper disclosure and use of PHI by the BA. "Covered entities could still be held liable for the conduct of that BA," says John P. Murdoch II, counsel with Wilentz, Goldman & Spitzer P.A.
It is imperative that ASCs conduct due diligence into the people and organizations who will be trusted with facility's PHI.
"ASCs will want to confirm that their BAs have conducted an internal risk analysis as required under the HIPAA security rules, put policies and procedures in place based upon the results of that risk analysis and implemented a good HIPAA training program," Mr. Murdoch says. "However, one thing ASCs want to be careful of is not trying to control BAs to the point where the BA may considered an agent of the ASC under the federal law of agency, but they do want to make sure they're properly vetting their BAs."
As part of the vetting process, an ASC would be wise to ensure BAs have insurance to cover breaches they may cause, Mr. Schaff adds. "Make sure that your BAA includes a provision that requires the BA to have a required minimum amount of insurance where the ASC is named as an additional insured. That way, if the BA goes belly up and lacks the economic wherewithal to pay fines or damages associated with violations, you know there's an insurance company with a deep pocket standing behind them."
3. Place limits on subcontracting. Under the new HIPAA rules, a BA's subcontractors are considered a BA of the ASC if the subcontractor has access to the ASC's PHI. As such, Mr. Murdoch says ASCs would be wise to take steps to gain control over whether these subcontractors are provided access to PHI.
"We advise our clients to incorporate in their BAA, although not required under the law, a provision to permit the ASC to approve a BA's subcontractors," he says. "In many cases, you have different services that end up being subcontracted or farmed out, sometimes overseas, and oftentimes you don't even realize this is happening."
Mr. Schaff adds, "Just add a limitation on the ability for your BA to subcontract any of its work for you, and require the BA to obtain your prior written approval of any subcontracted work. This will restrict company A from using company B to provide any of those services without your consent."
Learn more about PriorityOne Group.
More Articles on Surgery Centers:
The Importance of ASC Data Transparency
CONs in the ASC Industry: A Brief History & Analysis
Lessons From Surgery Center Management in Alaska
One of the most significant changes to the HIPAA Privacy and Security Rules that went into effect in September involved business associate agreements (BAA), and the rules that govern the relationship ASCs have with their business associates (BA).
"The updated laws expand who HIPAA covers, and created additional responsibilities for ASCs," says Michael F. Schaff, chair of the corporate and healthcare departments and shareholder of Wilentz, Goldman & Spitzer P.A. "Over the past few years, electronic patient health information (PHI) has increased significantly, so there is additional exposure to errors and problems which could lead to potential liability. This potential liability can lead to substantial fines, since these breaches tend to happen is large doses."
He adds, "It is an ASC's responsibility to learn about the new HIPAA laws, including changes to BAAs, and do all they can to protect PHI."
Here are three steps ASCs should take to ensure they comply with the new HIPAA rules concerning BAs.
1. Identify BAs. The rules expanded the number of organizations that could be considered a BA. An ASC needs to have a BAA with every one of its BAs, so an ASC should determine what people and organizations it interacts with that are now considered a BA under the updated laws.
According to HHS, the definition of BA is as follows: a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provide services to, a covered entity.
Some examples of people and entities likely to be considered an ASC's BA is as follows:
• IT service organizations
• Attorney whose legal services involve access to PHI
• CPA firm whose accounting services to a healthcare provider involve access to PHI
• Clearinghouses that translate claims from a non-standard format into a standard transaction on behalf of an ASC and forwards the processed transaction to a payer
• Transcriptionists and transcription service providers
• Outsourced billing and coding firms
2. Properly vet BAs. While BAs can now be held directly liable for committing HIPAA violations, this does not protect ASCs from improper disclosure and use of PHI by the BA. "Covered entities could still be held liable for the conduct of that BA," says John P. Murdoch II, counsel with Wilentz, Goldman & Spitzer P.A.
It is imperative that ASCs conduct due diligence into the people and organizations who will be trusted with facility's PHI.
"ASCs will want to confirm that their BAs have conducted an internal risk analysis as required under the HIPAA security rules, put policies and procedures in place based upon the results of that risk analysis and implemented a good HIPAA training program," Mr. Murdoch says. "However, one thing ASCs want to be careful of is not trying to control BAs to the point where the BA may considered an agent of the ASC under the federal law of agency, but they do want to make sure they're properly vetting their BAs."
As part of the vetting process, an ASC would be wise to ensure BAs have insurance to cover breaches they may cause, Mr. Schaff adds. "Make sure that your BAA includes a provision that requires the BA to have a required minimum amount of insurance where the ASC is named as an additional insured. That way, if the BA goes belly up and lacks the economic wherewithal to pay fines or damages associated with violations, you know there's an insurance company with a deep pocket standing behind them."
3. Place limits on subcontracting. Under the new HIPAA rules, a BA's subcontractors are considered a BA of the ASC if the subcontractor has access to the ASC's PHI. As such, Mr. Murdoch says ASCs would be wise to take steps to gain control over whether these subcontractors are provided access to PHI.
"We advise our clients to incorporate in their BAA, although not required under the law, a provision to permit the ASC to approve a BA's subcontractors," he says. "In many cases, you have different services that end up being subcontracted or farmed out, sometimes overseas, and oftentimes you don't even realize this is happening."
Mr. Schaff adds, "Just add a limitation on the ability for your BA to subcontract any of its work for you, and require the BA to obtain your prior written approval of any subcontracted work. This will restrict company A from using company B to provide any of those services without your consent."
Learn more about PriorityOne Group.
More Articles on Surgery Centers:
The Importance of ASC Data Transparency
CONs in the ASC Industry: A Brief History & Analysis
Lessons From Surgery Center Management in Alaska