...significant changes will affect all parties that handle PHI from healthcare providers, to their business associates and all other allowable third parties.
Chantilly, Virginia (PRWEB) September 16, 2013
NAVEOS®, a Virginia-based healthcare data analytics company, reports the Health Insurance Portability and Accountability Act (HIPAA) HIPAA / HITECH Final Rule published in January, has heightened requirements regarding Privacy and Security of Personal Health Information (PHI). The Final Rule, considered an Omnibus Rule, require all parties comply with all provisions by September 23, 2013.
Mike Sabo, Vice President of Regulatory Affairs for NAVEOS®, states the significant changes will affect all parties that handle PHI from healthcare providers, to their business associates and all other allowable third parties.
Sabo says, “It is imperative that healthcare organizations review the final rule in its entirety.” For all HIPAA related information and the Omnibus Rule, go to the Office for Civil Rights Office (OCR) website: http://www.hhs.gov/ocr/privacy/index.html.
RELATIONSHIPS between Covered Entities (CE) and their Business Associates (BA) and sub-contractors require a Business Associate Agreement (BAA).
It is imperative that all healthcare organizations have a BAA in place for all Business Associates.
ENFORCEMENT RULES: BA’s and subcontractors are now subjected to substantial Criminal and or Civil liabilities.
Liabilities for BA’s and subcontractors will be as if they were a Covered Entity.
Removal of “Risk of Harm Assessment.”
The Final Rule states that impermissible disclosures of PHI will be considered a breach unless the CE or BA can demonstrate a “low probability that the PHI has been compromised.”
RISK ANALYSIS REVISIONS
Potential or Presumptive Breach “Risk Harm Assessment” has been replaced by Risk Analysis Factors that should be considered and designed to “focus more objectively on the risk that the PHI has been compromised. The Final Rule states the four factors below AND any other relevant considerations be included in the Risk Analysis:
1. The nature and extent of the PHI involved, including they types of identifiers and the likelihood of re-identification.
2. The unauthorized person who used the PHI or to whom the disclosure was made.
3. Whether the PHI was actually acquired and viewed.
4. The extent to which the risk to the PHI was mitigated.
NAVEOS® can advise healthcare providers on the impact the HIPAA/HITECH Final Rule to their organization. If you have any questions regarding information in this press release, please contact Mike Sabo, Vice President of Regulatory Affairs for NAVEOS at mike(dot)sabo(at)naveosdata(dot)com, or visit http://www.NaveosData.com.