Do I Need New HIPAA Business Associate Agreements?
|Now that the Health Insurance Portability and Accountability Act omnibus regulation has been published,1 companies across the health care industry and an enormous range of service providers are struggling to meet the challenges presented by these new rules by the Sept. 23 compliance date. Some of these obligations present new challenges in interpreting what the rules mean (e.g., the new marketing and sale restrictions). Other provisions require new analysis in situations arising in the future (e.g, the breach notification provisions). Business associates in general need to evaluate how best to comply with the detailed and onerous HIPAA Security Rule.
The question surrounding new business associate agreements presents a mixture of compliance obligations, risk management, and business opportunity, from the perspective of both covered entities and business associates. Business associate agreements have been around since the beginning of the HIPAA era. Because the Department of Health and Human Services had no authority to regulate anyone other than covered entities, the regulators created the idea of a business associate agreement to impose contractual obligations on the wide range of service providers to the health care industry. This was, at the time, a genius idea, to provide reasonably effective privacy protections beyond the authority provided by Congress. It imposed at least a contractual structure on the privacy and security of health care information far beyond the core requirements for covered entities. HHS did not properly appreciate, however, the time and money that would be spent negotiating hundreds of thousands of business associate agreements across the country.
Fast forward to the Health Information Technology for Economic and Clinical Health Act. Now, HHS has authority to regulate business associates directly, as of the compliance date in September. Under the new rules, business associates will need to comply with many of the provisions of the HIPAA Privacy Rule, all of the HIPAA Security Rule, and the HIPAA Breach Notification provisions. So, what about the need for updated business associate agreements themselves?
At a minimum, HHS clearly stated that business associate agreements still are required. Their justification for this is, frankly, limited, and not particularly persuasive. But, these agreements still are required even though the bulk of these documents (and all of the “required” elements) now will simply reiterate compliance requirements applicable by law for the business associates.
So, even though there is limited rationale for these agreements, do covered entities need to have new business associate agreements in place to meet the new requirements? And do business associates want new agreements or not? While it is possible that some existing agreements will meet all relevant standards, and there is no explicit statement from HHS (as there was with privacy notices) that new business associate agreements are required, most covered entities will find both that they will need to make changes to their agreements to deal with these new changes AND that it is desirable to have new agreements that reflect these changes. (Business associates also may find reasons to want new agreements). Despite some confusion, it seems clear that the obligation to implement business associate agreements continues to rest with the covered entity (and that business associates now have specific legal obligations whether there is a business associate agreement in place or not).
A Recent National Survey...
|A recent national survey conducted by the Better Business Bureau reported that within a 12-month period, 9.3 million Americans were victims of Identity Theft, resulting in losses of $52.6 billion.
Through the survey, it was discovered that most thieves still obtain personal information through traditional, rather than electronic, channels. In cases where the method could be determined, 68.2% of information was obtained off-line versus only 11.6% obtained on-line.
A study authorized by the Federal Trade Commission agrees with the survey, stating that personal data is usually stolen in offline ways – such as dumpster diving – with only about 12% of the cases being a result of the Internet.
5 Paper Shredding Myths To Be Aware Of
|1) Your company is too small for a shredding service The size of your company should not dictate whether you should be implementing a shredding program. On average most office workers go through 10,000 sheets of paper each year. That is a TON of paper, which more often than not includes vital information pertaining to your staff, company, or customers. Unless your office is 100% paperless, there is always the need to securely shred documents. More importantly, the FACTA law states that any business that collects or handles credit must have a program in place to shred identifiable information.
2) Staff will use the office shredder Unfortunately employees have daily tasks that usually take priority, and feeding numerous papers through a shredding machine takes a considerable amount of time. These devices can also be quite the distraction among your employees due to the noise they create. In a lot of cases, the duty of shredding is put off only to pile up into a daunting task that nobody has time for; as a result important papers are tossed into the trash or recycling bin because it’s easy. This is risky business for your company!
3) Your company is compliant if you have a shredder As we know office shredders are generally very unproductive and regular use of them can be challenging to implement among employees. So unless shredded documents are being recorded and monitored, there is no legal proof that your company’s practices are compliant with privacy laws. Pioneer SecureShred will always provide proof of destruction upon completion, documenting the process has been done from beginning to end, in accordance with the law. Save yourself the worry and seek professional assistance.
4 ) No one will rummage through your trash Although we would love to believe this, the reality is very alarmingly the opposite. Once your documents leave your hands and land into a trash bin, they are technically open to the public. Individuals and worse competing corporations will resort to dumpster diving as a technique to gather juicy material on your business plans, customers, financial status and other areas of interest. Such behavior can seriously damage a company’s reputation and may lead to lost business.
5) It’s too expensive to hire a shredding company When your document destruction needs are handled by professionals, your business saves time and money! Each time an employee operates an office shredder, you are taking away time that could be spent on productive duties beneficial to your company. What might take hours for an individual to shred, only takes minutes with Pioneer SecureShred. Office shredders tend to get jammed, and therefore aren’t seen as a reliable long-term solution. If used on a regular basis, you’ll likely run into problems early on requiring the purchase of a replacement.
Special Offer! Try Our Service FREE for 30 Days!
|Get started today! Here's how our FREE TRIAL works:
You sign up for Regular Scheduled Service*. We deliver locking Security Containers (64-Gallon Bins &/or Security Consoles), pick-up and shred all of your confidential materials for a 30 day period on a schedule consistent with your Scheduled Service Agreement ~ for free!
If you're not completely satisfied with our service, we'll remove the container(s) and you won't owe us a penny. If you are satisfied (and we expect that you will be!), your first month's service will have been free!
*Regularly-Scheduled Service refers to a pre-scheduled service date a minimum of once per month.
Monthly Shredding Services cost far less than you'd think!
Call us for a FREE QUOTE or to take advantage of our FREE TRIAL offer today!