HIPAA requires BAAs between covered companies and business partners. HIPAA has however begun to verify not only whether a BAA is actually in force between a BA and a covered enterprise, but also whether the ABs actually comply with the agreements. Business Associate Agreements has clear expectations that the business partners you work with must meet HIPAA`s PHI protection requirements. Respect for HIPAA is reason enough for you to enter into agreements with your AABs. In addition, it is important to know that HIPAA audits are increasing in number and are aimed at small procedures and organizations. If there are no BAAs, this can result in penalties, including fines, which can be particularly problematic for small firms with limited resources. They offer a solid 9-minute video on the certification process. My favorite part is that NAID performs random and unannounced audits of shredding services as part of the certification. An important point, however: NAID certification is carried out according to the location of the company and not the company.
Make sure you validate the certification for the site that does your grinding, not just the company. In addition, NAID requires the use of a cutting grinding process that reduces the paper to a tiny particle size. Together, all of these requirements significantly reduce the risk of data protection for PIs. The number and scope of HIPAA audits have recently changed. In 2016, HIPAA launched Phase 2 of the audit program, which includes both secure entities and business partners, and there are fewer audits on the ground. Instead, desk audits are carried out, which contain requests for a list of all the business partners of insured companies. During Phase 1 of the audits, the Office of Civil Rights (OCR) simply asked the insured entities to provide a list of contractual contracts; In Phase 2, the OCR not only deals with BAAs, but also reviews ABs to determine whether they do correspond to HIPAAs. Covered companies must ensure that they understand when a BAA is required and that they execute these agreements in order to present the requested documents and demonstrate compliance with the relevant HIPAA provisions in the event of an audit. Dropbox or any other cloud storage provider (CSPs)? Yes, yes. According to HHS.gov, when a covered entity uses a PSC “to create, receive, maintain or transfer ePHI (e.g.B. ePHI to process and/or store), the PSC is a business partner under HIPAA…. This is true, even if the CSP only processes and stores encrypted ePHI and does not have an encryption key for the data.
” www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html) Thus, if a covered entity uses a type of PSC, be it Dropbox to store documents or an electronic health registry system, the covered entity and the CSP must enter a BAA, even if the data is encrypted and cannot be effectively accessed by the CSP.