Next week we’re hosting a webinar on HIPAA compliance in a mobile world, featuring guest presenter Michelle Caswell of Clearwater Compliance. Michelle has over 14 years healthcare experience, including previously working as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights. We asked Michelle a few questions about compliance, texting and the future of HIPAA.
What HIPAA compliance changes do you predict happening in the next few years?
I don’t see too many changes to the actual regulations but I anticipate that The Office for Civil Rights (OCR) will be taking a more granular look at Covered Entity (CE) and Business Associates’ (BA) compliance programs. For example, if a CE or BA provides a copy of its most recent risk analysis, that CE or BA should be prepared to provide evidence of a risk management plan and mitigation. It has also been said that OCR will implement a permanent audit program.
Why is important that healthcare technology vendors offer and sign comprehensive Business Associate Agreements (BAAs) with the healthcare organizations using their technology?
It is a requirement that CEs have BAAs in place with their business associates. This contract acts as one way to show that a CE has received satisfactory assurances that the BA will safeguard the PHI entrusted to the CE in the same manner that the CE would do. If you are a CE and your BA refuses to sign a BAA, you are ultimately the one who is responsible.
The same is true for the BA and its subcontractor relationship. A BA must have a BAA between itself and any subcontractors that create, receive, maintain or transmit PHI on behalf of the BA.
What are the compliance risks associated with texting ePHI and if the risks are so high, why are so many doctors doing it?
Texting has replaced the “beepers" that hospitalists used in the past. Where we see some of the greatest risk is when organizations allow their employees to "bring their own device” (BYOD) to conduct business. It is harder to ensure that the portable devices have the appropriate safeguards when the cell phone is in the employee’s control. Employment law issues also can arise when employees use their own devices (i.e. can you as an employer demand that the employee hand over his/her phone to investigate an impermissible disclosure?).
Have another question for Michelle? Be sure to attend next week's webinar and live Q&A.