First Healthcare Compliance CONNECT September 2022
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
subcontractor. All of that is exceptionally important.<br />
So just something to be conscientious about<br />
there. Then you delve into the three overarching<br />
areas or purposes behind the Business Associate<br />
Agreement to ascertain that both parties each<br />
have been given reasonable assurances that the<br />
technical, administrative, and Physical Safeguards,<br />
as well as the privacy rule, security rule and Breach<br />
Notification Rule, and compliance and requirements<br />
are being met.<br />
Another item that relates to that now is the 21st<br />
Century Cures Act in the ability to give patients their<br />
medical records in formats such as smartphone<br />
apps that weren’t necessarily available before but<br />
along with that related to information blocking, are<br />
situations where a provider or a business associate<br />
may say, what the general rule is that we have to<br />
provide this, but this is not an app that is secure<br />
or that we’re familiar with and for the safety of the<br />
entity and for structure, we’re not going to provide<br />
that. So it’s important now to reference state laws<br />
and other relevant laws such as a 21st Century<br />
Cures Act.<br />
The next main area, has to do with notification<br />
to the other party if you have a reportable cyber<br />
security incident, typically known as a breach, in<br />
accordance with the Breach Notification Rule. And<br />
there are really two steps to that. <strong>First</strong>, you want to<br />
have a timeframe set out between the parties as to<br />
when party A, if they’re the breaching party, has to<br />
notify party B, that there has been a breach. That’s<br />
important because their IT department needs to<br />
take appropriate steps in order to safeguard certain<br />
things or go to plan B to go to backups. So it’s really<br />
mutual in nature along those lines. And then the<br />
second part of a reportable breach would then be<br />
under the Breach Notification Rule, to report to HHS<br />
to report to the patients and to report to the media if<br />
the breach itself affects 500 individuals or more.<br />
Can you explain reasonable<br />
assurances in relation to business<br />
associate agreements and HIPAA?<br />
Reasonable assurances in HIPAA is the first part of<br />
the business associate aid agreement. Both parties,<br />
giving assurances that they meet the technical,<br />
administrative and physical safeguards in order to<br />
ensure the confidentiality, integrity and availability<br />
of the data. What would give someone peace of<br />
mind and also give them something legally, that<br />
they could say, what we know that we do not have<br />
a right to go in and inspect everything. I have seen<br />
situations where, given the size of the contract, or<br />
the particular service that was at stake, sometimes,<br />
one entity will agree to let another entity come on<br />
site and view their operations, which is only one<br />
part of that. What I do is I have my clients get a<br />
signature on an attestation. And the purpose behind<br />
it is that these reasonable assurances are being<br />
provided in order to give peace of mind that the<br />
party is adhering to the requirements of HIPAA in<br />
the HITECH Act. And if people can answer these<br />
five questions in earnest, you should walk away<br />
with a good feeling that they’re doing everything<br />
that needs to be done. The first question is, does<br />
the party undergo an annual risk analysis that<br />
is comprehensive? Second, do they train their<br />
workforce annually? Third is PHSI insensitive PII<br />
encrypted both at rest and in transit? Fourth, are<br />
business associate agreements in place, and<br />
are they recorded? And lastly, are policies and<br />
procedures at least reviewed annually, and are they<br />
comprehensive? So with that, that is a how I define<br />
and think of a reasonable assurance? And secondly,<br />
how I advise my clients to protect themselves. And<br />
then lastly, the types of reasonable assurances are<br />
those five that I honed in on?<br />
What are indemnification provisions<br />
and what language should be used in<br />
indemnification provisions?<br />
It’s typically thought of as a contractual obligation<br />
of one party to compensate the loss incurred to the<br />
other party, due to certain acts of the indemnitor or<br />
any other party, the duty to indemnify is usually but<br />
not always, coexisting with the contractual duty to<br />
Contact Toll Free: 888-54-FIRST 9