This book includes a plain text version that is designed for high accessibility. To use this version please follow this link.
Data Access

Take, for example, the implementa- tion specifi cation of Emergency Access Procedure within the HIPAA Security Rule. T e purpose of this provision is to ensure that covered entities have proce- dures in place to access ePHI outside of normal operational circumstances. It is incumbent upon the covered entities to defi ne which kind of situations would require emergency access; it’s implied that a service provider who maintained ePHI on behalf of a covered entity or business associate is also responsible for accommodating these situations, regardless of whether the ePHI is en- crypted or not.

Under the new tiered-penalty structure, penalties for repeated willful neglect can be as high as $1.5 million per violation.

Another example involves business continuity and disaster recovery as required by the HIPAA Security Rule’s disaster recovery plan, emergency mode operation plan and contingency operations implementation specifi cations. Service providers must routinely test their business continuity and disaster recovery plans, analyze outages, train workforce members on these procedures and maintain documentation of these activities. Covered entities can be held accountable for the lack of planning on the service provider’s part if the lack of planning results in a breach. Under the Omnibus Final Rule, a business associate is defi ned in terms of the functions or activities that it performs on behalf of a covered entity in relation to ePHI. An entity is not exempt from the defi nition of business associate and is not relieved of the accompanying compliance obligations

simply because ePHI is encrypted. All of this comes down to one simple notion: accountability. Or, as the Omnibus Final Rule puts it, prevention of security lapses due to outsourced IT arrangements. No matter where the ePHI fl ows, the full scope of HIPAA security must be considered. Attempts at derogation of responsibility in that fl ow miss the point entirely, and covered entities remain accountable. Service providers

doing business

with covered entities need to realize that they are responsible for ePHI – no matter the form – and that they too may be held accountable at the discretion of the Department of Health and Human Services. For a service provider, it’s a huge gamble since instances of noncompliance could be deemed willful negligence, subjecting covered entities and its business associates to signifi cant monetary penalties. Under the new tiered-penalty structure, penalties for repeated willful neglect can be as high as $1.5 million per violation. Covered entities should review their business associate relationships im- mediately as the compliance clock is ticking down to Sept. 23, 2013. T ey will need to ask the diffi cult questions about how their service provider man- ages operations with respect to the full scope of HIPAA security, and establish expectations around the assurances given for compliance. As you can see, the Omnibus Final

Rule, while meant to clarify account- ability, raises additional questions for the health IT community. We are hope- ful that this article provides you with a better understanding of the role of covered entities and business associates under HIPAA. Verizon offers managed hosting and cloud services designed to meet appropriate HIPAA controls for storing and protecting ePHI. This includes signing a Business Associate Agreement with covered entities storing their ePHI with Verizon.


◀ Laptop Cart LPC200

Tablet Cart ▶ TBC150-201

Solution creators for working environments™

Use code on the right to inquire about our latest promotion

800.663.3412 Visit

July 2013 39

Promo code HMT-JYLY13



Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46