First Healthcare Compliance CONNECT September 2022
14.09.2022 Views
Share Embed Flag

First Healthcare Compliance CONNECT September 2022

ePAPER READ
DOWNLOAD ePAPER
FirstHealthcareCompliance

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

subcontractor. All of that is exceptionally important.<br />

So just something to be conscientious about<br />

there. Then you delve into the three overarching<br />

areas or purposes behind the Business Associate<br />

Agreement to ascertain that both parties each<br />

have been given reasonable assurances that the<br />

technical, administrative, and Physical Safeguards,<br />

as well as the privacy rule, security rule and Breach<br />

Notification Rule, and compliance and requirements<br />

are being met.<br />

Another item that relates to that now is the 21st<br />

Century Cures Act in the ability to give patients their<br />

medical records in formats such as smartphone<br />

apps that weren’t necessarily available before but<br />

along with that related to information blocking, are<br />

situations where a provider or a business associate<br />

may say, what the general rule is that we have to<br />

provide this, but this is not an app that is secure<br />

or that we’re familiar with and for the safety of the<br />

entity and for structure, we’re not going to provide<br />

that. So it’s important now to reference state laws<br />

and other relevant laws such as a 21st Century<br />

Cures Act.<br />

The next main area, has to do with notification<br />

to the other party if you have a reportable cyber<br />

security incident, typically known as a breach, in<br />

accordance with the Breach Notification Rule. And<br />

there are really two steps to that. <strong>First</strong>, you want to<br />

have a timeframe set out between the parties as to<br />

when party A, if they’re the breaching party, has to<br />

notify party B, that there has been a breach. That’s<br />

important because their IT department needs to<br />

take appropriate steps in order to safeguard certain<br />

things or go to plan B to go to backups. So it’s really<br />

mutual in nature along those lines. And then the<br />

second part of a reportable breach would then be<br />

under the Breach Notification Rule, to report to HHS<br />

to report to the patients and to report to the media if<br />

the breach itself affects 500 individuals or more.<br />

Can you explain reasonable<br />

assurances in relation to business<br />

associate agreements and HIPAA?<br />

Reasonable assurances in HIPAA is the first part of<br />

the business associate aid agreement. Both parties,<br />

giving assurances that they meet the technical,<br />

administrative and physical safeguards in order to<br />

ensure the confidentiality, integrity and availability<br />

of the data. What would give someone peace of<br />

mind and also give them something legally, that<br />

they could say, what we know that we do not have<br />

a right to go in and inspect everything. I have seen<br />

situations where, given the size of the contract, or<br />

the particular service that was at stake, sometimes,<br />

one entity will agree to let another entity come on<br />

site and view their operations, which is only one<br />

part of that. What I do is I have my clients get a<br />

signature on an attestation. And the purpose behind<br />

it is that these reasonable assurances are being<br />

provided in order to give peace of mind that the<br />

party is adhering to the requirements of HIPAA in<br />

the HITECH Act. And if people can answer these<br />

five questions in earnest, you should walk away<br />

with a good feeling that they’re doing everything<br />

that needs to be done. The first question is, does<br />

the party undergo an annual risk analysis that<br />

is comprehensive? Second, do they train their<br />

workforce annually? Third is PHSI insensitive PII<br />

encrypted both at rest and in transit? Fourth, are<br />

business associate agreements in place, and<br />

are they recorded? And lastly, are policies and<br />

procedures at least reviewed annually, and are they<br />

comprehensive? So with that, that is a how I define<br />

and think of a reasonable assurance? And secondly,<br />

how I advise my clients to protect themselves. And<br />

then lastly, the types of reasonable assurances are<br />

those five that I honed in on?<br />

What are indemnification provisions<br />

and what language should be used in<br />

indemnification provisions?<br />

It’s typically thought of as a contractual obligation<br />

of one party to compensate the loss incurred to the<br />

other party, due to certain acts of the indemnitor or<br />

any other party, the duty to indemnify is usually but<br />

not always, coexisting with the contractual duty to<br />

Contact Toll Free: 888-54-FIRST 9

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!