“If you haven’t had a breach at your organization, you aren’t looking hard enough because everyone has them.” That’s the message health attorney Kirk Nahra, a partner at Wiley Rein LLP in Washington, D.C., brought to an education session at the American Health Information Management Association’s annual conference in Atlanta.

Walking through components of the revamped HIPAA rules now in effect, Nahra counseled that the single most important thing to do in a breach situation is to act quickly to understand and mitigate effects of the breach to eliminate a realistic chance of risk and be able to avoid public notification. “In an extraordinary amount of cases, you can actually fix the problem if you act quickly.”

While covered entities have a year from the Sept. 23, 2013, compliance date to sign new business associate agreements with contractors, Nahra cautioned not to wait--get it done now. It is the obligation of covered entities to get BAAs signed, he added, but remember that business associates still are obligated to abide by HIPAA with or without a BAA. Most business associates, he says, are not fully compliant today--particularly with the security rule--so push them to get there.

Too many covered entities also are not compliant with the security rule. Under the revamped HIPAA rules now in force, nothing changed in the security rule except applying its provisions for the first time to business associates, Nahra said. But many covered entities have security rule policies and procedures that haven’t been updated in years, when the rule requires ongoing evaluation of the policies and procedures.


Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access