CMS Revises Policy on Texting Patient Orders – Akin Gump Strauss Hauer & Feld LLP
CMS Revises Policy on Texting Patient Orders Akin Gump Strauss Hauer & Feld LLP
HHS Announces 42 Part 2 Final Rule to Align with HIPAA – JD Supra
OCR launches HIPAA investigation into Change Healthcare breach – Healthcare IT News
OCR launches HIPAA investigation into Change Healthcare breach Healthcare IT News
HHS Announces 42 Part 2 Final Rule to Align with HIPAA – The National Law Review
HHS Announces 42 Part 2 Final Rule to Align with HIPAA The National Law Review
Paralyzing cyberattack spurs federal probe into UnitedHealth’s HIPAA compliance – Ars Technica
Who is Responsible for HIPAA Compliance? – HIPAA Journal
Who is Responsible for HIPAA Compliance? HIPAA Journal
Who is Responsible for HIPAA Compliance?
Covered entities and business associates are responsible for HIPAA compliance, the compliance of their workforces, and the compliance of any third party service providers to whom Protected Health Information (PHI) is disclosed. To manage the responsibilities, covered entities and business associates are required to designate a Privacy Officer and/or a Security Officer.
Although HHS’ Office for Civil Rights is responsible for enforcing Parts 160 and 164 of the Administrative Simplification Regulations (which include the Privacy, Security, and Breach Notification Rules), there are a number of standards within these Parts which place the responsibility for HIPAA compliance on covered entities and business associates. These standards include, but are not limited to:
§160.304 – The Principles for Achieving Compliance
The standard has two parts. The first part states that the Secretary of Health and Human Services (HHS) will seek the cooperation of covered entities and business associates in obtaining HIPAA compliance, while the second part states the Secretary may provide technical assistance to support voluntary HIPAA compliance.
§160.402 – Basis for a Civil Monetary Penalty
Section (c) of this standard makes covered entities (or business associates) liable for a HIPAA violation attributable to an “agent” of the covered entity (or business associate) acting within the scope of the agency. Agents include members of the workforce and business associates (or subcontractors of business associates).
§164.105 – Organizational Requirements
Section (a)(2)(iii) of this standard lists the responsibilities of a covered entity that is the covered element of a hybrid entity. In the context of answering the question who is responsible for HIPAA compliance, it is reasonable to assume these responsibilities apply to all types of covered entities. The listed responsibilities include:
- Complying with subpart C of Part 160 (“Compliance and Investigations”)
- Implementing policies and procedures to comply with the Privacy and Breach Notification Rules.
- Implementing “reasonable and appropriate” Security Rule policies and procedures.
- Conducting due diligence and entering into compliant Business Associate Agreements when PHI is disclosed to third party service providers.
§164.308 – Administrative Safeguards
The Administrative Safeguards require covered entities and business associates to identify a security official who is responsible for the development and implementation of Security Rule policies and procedures, and to apply appropriate sanctions against members of the workforce who fail to comply with the policies and procedures.
§164.530 – Administrative Requirements
Similarly, the Administrative Requirements of the Privacy Rule require covered entities (and business associates where necessary) to designate a privacy official who is responsible for the development and implementation of Privacy Rule and Breach Notification Rule policies and procedures, workforce training, and applying sanctions.
Is HIPAA Compliance Voluntary or Mandatory?
The Administrative Simplification Regulations include references to “voluntary compliance”, the “flexibility of approach”, and “addressable implementation specifications”. However, compliance with HIPAA is mandatory for individuals and organizations that qualify as covered entities or business associates. This is clear from the “Applicability” sections of the Security Rule (§164.302) and the Privacy Rule (§164.500).
In addition, covered entities and business associates are not only responsible for the compliance of the organization, but also responsible for workforce compliance and compliance of third party service providers that create, receive, store, or transmit PHI for or on behalf of the covered entity or business associate. The secondary responsibilities apply to “agents working within the scope of their agency”.
The “scope” condition means there can be several outcomes to violations by workforce members or business associates. For example:
- If a workforce member violates HIPAA due to not having received HIPAA training or due to the lack of required safeguards, the violation has occurred within the scope of the workforce member’s agency. In this case, HHS’ Office for Civil Rights can conduct a HIPAA investigation and sanction the covered entity or business associate.
- However, if a workforce member is responsible for a violation of 1177 of the Social Security Act having received HIPAA training and when the required safeguards are in place, the workforce member has acted out of the scope of their agency. In this case, the covered entity or business associate is not liable for the violation.
A similar “out of scope” scenario could exist if a covered entity shares PHI with a business associate without conducting due diligence or entering into a Business Associate Agreement. If a data breach subsequently occurs due to the non-compliance of a business associate, the covered entity – rather than the business associate – will be considered liable for the breach by HHS’ Office for Civil Rights.
Designating Who is Responsible for HIPAA Compliance
Designating who is responsible for HIPAA compliance is not just a question of selecting a random member of the workforce and assigning them the role of Privacy Officer and/or Security Officer. Covered entities and business associates have to comply with multiple federal, state, and local laws, and it may be necessary to combine HIPAA compliance with other compliance standards such as those required as a condition of participation in Medicare.
In some cases, the responsibility for HIPAA compliance can be assigned to an existing multi-disciplinary compliance team consisting of representatives from nursing, administration, legal, finance and IT. In other cases, it may be necessary to delegate the responsibility for HIPAA compliance to individual team leaders, with one team leader given the title of Privacy Officer and/or Security Officer to comply with the personnel designation requirement of §164.530.
If existing team leaders do not have the knowledge, capacity, or resources to take responsibility for HIPAA compliance, it may be necessary to employ a new member of the workforce who is responsible for HIPAA compliance, or outsource the responsibility to a third party organization. Covered entities and business associates unsure about who should be responsible for HIPAA compliance in their organizations are advised to speak with a HIPAA compliance professional.
The post Who is Responsible for HIPAA Compliance? appeared first on HIPAA Journal.