Earlier this month, we held a HIPAA compliance webinar with Michelle Caswell, Senior Director of Legal & Compliance at Clearwater Compliance. Our attendees asked some great questions, and we've decided to include them all in an in-depth discussion below.
Have another HIPAA compliance question? Post it in the comments and we'll be sure to respond!
Does the OCR audit Business Associates?
Yes. Business Associates (BAs) can be audited and investigated. Among the 200 Covered Entities (CEs) that will be audited in the upcoming round, the OCR is paying particular attention to your Business Associate Management Program. The office will request that you:
• Provide the names of your BAs
• An explanation on how you manage them
• The Business Agreements you have set in place
• Any oversight you may have into your Business Agreement
The pool of BAs from which the OCR will audit include those provided by its audited CEs. Note: The Office of inspector General came out with two whitepapers last summer claiming the OCR hadn't done enough to enforce HIPAA. The result: a permanent audit program. Anyone can complain against a BA and from that alone--the OCR will investigate!
We are a small team of EMS providers. How do we go about training our employees on HIPAA's policies and procedures?
For most cases, we recommend outsourcing your training. For very small teams, it's possible to conduct the training internally to save money. There are a number of companies that sell HIPAA templates (Clearwater Compliance included) that can be used for the implementation of HIPAA policies and procedures into your organization. This is a good place to start. Once these have been drafted, you can better understand when and where you may need to outsource your training. Annual PowerPoint presentations on HIPAA compliance procedures and on-hire training are common practices.
How can you tell if your company messenger is secure?
The main difference between a heavily encrypted texting product and a HIPAA compliant messaging service is the presence of a third party HIPAA auditing company certifying both your company and your messenger as HIPAA compliant. Better yet, if your information is encrypted you can take part in the Safe Harbor provision. This means that in the event of a breach (resulting from lost or stolen devices) the incident will not be considered a "reportable" breach--so long as the information was encrypted.
How effective are web services for sending out mass texts?
Whatever application you decide to use, you will need to consider its implications in your organization's Risk Analysis. The usage of web services are not explicitly prohibited from HIPAA, but you will need to be sure that it is both reasonable and appropriate for your environment. Good practice dictates the administration of a risk analysis prior to the implementation of a web service or similar application. The ideal situation would be to find a solution that is both cross-platform and HIPAA compliant. A HIPAA-certified company with a strong local and web presence will allow you the flexibility to send out mass compliant messages to mobile phones as well as desktops.
For more details, catch the full webinar below.