When it comes to protecting health information, the importance of conducting risk assessments and partnering with HIPAA-compliant business associate can hardly be stressed enough.Medical billing and coding outsourcing to companies that do not adhere to HIPAA regulations can result in massive settlements.

Maintaining HIPAA compliance has become an increasingly difficult challenge for health care entities. Common causes of data breaches include internal threats, weak security controls, outdated software or web browsers, and cyber attacks. Health care providers also need to execute a proper business associate agreement (BAA) with their business partner.

Phase 2 of the audits of covered entities and their business associates (BAs) of the HHS Office for Civil Rights (OCR) was formally launched in March 2016. The aim of the HIPAA Audit Program is to review the policies and procedures adopted and employed by covered entities and their BAs to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. Health care entities and their BAs have to be ready to face these audits.

Risk Assessments are Crucial

To prepare for the OCR HIPAA audits, health care entities need to ensure that their privacy and security measures are comprehensive and up-to-date. A vigorous risk assessment process is crucial for the security of patient health data. Entities need to ensure the following:

  • have the right security policies and procedures in place
  • conduct security risk analysis on an ongoing basis
  • reevaluate potential risks to e-PHI (protected health information)
  • are properly training employees
  • their business associate relationships, such as with a medical billing and coding outsourcing company, is appropriately documented
  • physical and electronic data is secure

According to The Department of Health and Human Services (HHS), conducting risk assessments helps health care providers identify potential weaknesses in their systems, security policies and processes. These assessments will also help them implement appropriate security measures to address the risks identified in the risk analysis, potentially preventing adverse security events and health data breaches.

Know your Business Associates

OCR requires health care entities to identify their business associates and will ask for lists and contact information for BAs. A “business associate” is a person or entity that performs certain activities or functions that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. These activities and functions include but are not limited to: medical coding services; claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; medical billing services; benefit management; and practice management.

Under the Privacy Rule, the covered entity has to obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. These assurances must be in the form of a written contract or other agreement between the covered entity and the business associate.

A HIPAA compliant medical coding service company will have a comprehensive slew of security measures in place to safeguard the information entrusted to them by their clients. These would include computers with disabled external drives, prohibition of electronic devices including laptops and PDAs onsite, physical security checks, password protected computers with firewalls and antivirus software installed, shredding of damaged hard copies of patient information on site, and 256 bit AES encryption for all transferred files.

OCR plans to complete desk audits of covered entities and business associates over the course of 2016. HIPAA covered entities should keep track of OCR-related developments and take proactive steps to ensure their organizations are compliant with HIPAA requirements and that their business associates such as their medical billing and coding outsourcing partner is also HIPAA compliant.