HIPAA compliance period ended. Here are 7 critical steps you needed.

The regulations known as the HIPAA/HITECH Omnibus Final Rule went into effect in late March 2013, with an 180-day safe harbor compliance period ending on September 23, 2013.

While new rules do not drastically change HIPAA/HITECH compliance obligations for medical services and healthcare providers, big changes come to Business Associates – such as third-party administrators, benefit managers, insurance brokers, law firms handling medical cases etc  – for business associates. Under the new regulations, business associates are required, for the first time, to comply with the HIPAA Security Rule, many provisions of the HIPAA Privacy Rule, and are subject to direct enforcement action by the U.S. Department of Health and Human Services (HHS).

If your business has not completed your compliance measures yet, here are 7 Critical Steps to take toward HIPAA compliance for business associates:

1. Implement Business Associate Agreements

Business associates are now required to enter into business associate agreements with their subcontractors. Covered health plans are not required to update their existing business associate agreements until September 22, 2014, however, while in some cases, the business associate agreements do not require significant changes for legal compliance, updates provide employers with the opportunity to address terms of these agreements with a business impact, such as reimbursement of costs incurred in responding to a security breach caused by a business associate and indemnification for third-party claims.

2. Enforce  Security Policies and Procedures

To minimize the risk of a security breach, employers and business associates should implement or update policies and procedures to ensure compliance with the HIPAA Security Rule. Employers and business associates also should conduct a risk assessment to confirm that these policies and procedures adequately address and mitigate operational risk to avoid or reduce a potentially costly breach.

3. Address Privacy Policies and Procedures

Employers that have previously implemented HIPAA policies and procedures will need to update them to address several regulatory changes, such as the new standard for determining whether a security breach has occurred and the new procedures applicable to requests by plan participants for access to protected health information (PHI) in electronic form. From a technical legal compliance perspective, business associates do not have a legal duty to implement policies and procedures. As a practical matter, however, business associates cannot meet their complex HIPAA compliance obligations without policies and procedures that provide direction to the business associate’s employees on what they actually need to do to comply with HIPAA.

4. Address HIPAA Privacy Notices

Employers are required to update their HIPAA Notice of Privacy Practices by September 23, 2013, to inform participants in HIPAA-covered plans of new rights and new restrictions on the plans’ use of PHI. If the employer has a benefits website, the updated notice must be posted there and distributed to the named insured of each HIPAA-covered plan with the next open enrollment mailing. If the employer does not have a benefits website, the updated notice must be distributed within 60 days of its effective date.

5. Inform your staff

Employees need to be informed of the changes to HIPAA regulations that are relevant to their job functions and/or their cross-training. Employers and business associates should provide training on conducting business within HIPAA privacy and security practices; make training and policy materials available to your employees at all times.

6. Conduct a physical security audit.

If you work with HIPAA-critical data at your location, make sure that all the materials are handled and stored securely – files that may contain private patient information are put away, cabinets and doors must be locked and accessible only by trained employees (as referred to in step 5).  Also ensure safety and security of the assets that utilize and store digital information, such as computers, servers, laptops and so on.

7. Conduct an internal IT audit

Make sure that technology that your business utilizes for day-to-day operations is up to the standards of HIPAA security and privacy compliance. In addition to physical security of your IT assets, such as devices, laptops, computers, servers, etc, – as well as virtual security of your data and data vehicles – for example, your email client and email archives (did you know you must archive email by law?), your e-files and documents, your intranet and so on. After the audit is complete and any potential security failures are addressed, make sure everything is kept up to standards going forward, and maintained on a regular basis.  If you want to be sure it is done right, contact a Managed Service Provider that specializes in HIPAA/HITECH related IT support for Medical Providers and Business Associates.

Our IT Solutions for Doctors Office: Overview

  • Managed IT Support Services – 24/7/365 remote monitoring
  • IT Service Plans – onsite, remote and virtual computer network tech support
  • Hardware and Software management and upgrades
  • Virus, spyware and security protection for your computers and servers
  • Complete support and solutions for your practice
  • HIPAA/HITECH Compliance and Tech Support services
Give us a call now at (201) 4931414 – your Computer Network will thank you!

If you are located in New Jersey or NJ NY area and are looking for Managed IT services and Computer Support for your Medical Practice – look no further: we are here to provide your medical practice with reliable IT Support.


How is your state of IT? Call Us: (855) 551-7760 with any questions.