Quick Action Can Mitigate Breach Impacts
If you havent had a breach at your organization, you arent looking hard enough because everyone has them.
“If you haven’t had a breach at your organization, you aren’t looking hard enough because everyone has them.” That’s the message health attorney Kirk Nahra, a partner at Wiley Rein LLP in Washington, D.C., brought to an education session at the American Health Information Management Association’s annual conference in Atlanta.
Walking through components of the revamped HIPAA rules now in effect, Nahra counseled that the single most important thing to do in a breach situation is to act quickly to understand and mitigate effects of the breach to eliminate a realistic chance of risk and be able to avoid public notification. “In an extraordinary amount of cases, you can actually fix the problem if you act quickly.”
While covered entities have a year from the Sept. 23, 2013, compliance date to sign new business associate agreements with contractors, Nahra cautioned not to wait--get it done now. It is the obligation of covered entities to get BAAs signed, he added, but remember that business associates still are obligated to abide by HIPAA with or without a BAA. Most business associates, he says, are not fully compliant today--particularly with the security rule--so push them to get there.
Too many covered entities also are not compliant with the security rule. Under the revamped HIPAA rules now in force, nothing changed in the security rule except applying its provisions for the first time to business associates, Nahra said. But many covered entities have security rule policies and procedures that haven’t been updated in years, when the rule requires ongoing evaluation of the policies and procedures.
Walking through components of the revamped HIPAA rules now in effect, Nahra counseled that the single most important thing to do in a breach situation is to act quickly to understand and mitigate effects of the breach to eliminate a realistic chance of risk and be able to avoid public notification. “In an extraordinary amount of cases, you can actually fix the problem if you act quickly.”
While covered entities have a year from the Sept. 23, 2013, compliance date to sign new business associate agreements with contractors, Nahra cautioned not to wait--get it done now. It is the obligation of covered entities to get BAAs signed, he added, but remember that business associates still are obligated to abide by HIPAA with or without a BAA. Most business associates, he says, are not fully compliant today--particularly with the security rule--so push them to get there.
Too many covered entities also are not compliant with the security rule. Under the revamped HIPAA rules now in force, nothing changed in the security rule except applying its provisions for the first time to business associates, Nahra said. But many covered entities have security rule policies and procedures that haven’t been updated in years, when the rule requires ongoing evaluation of the policies and procedures.
More for you
Loading data for hdm_tax_topic #reducing-cost...