Allison Royce of San Antonio offers HIPAA Compliant Services and Technology

Is Your Technology and Your Technology Provider HIPAA Compliant?

Allison Royce of San Antonio is a HIPAA compliant technology provider, offering HIPAA compliant IT services (e.g., risk assessment, computer security, server administration, and network management) as a "Business Associate" in accordance with the HIPAA Security Rule located at 45 CFR Part 160 and Subparts A and C of Part 164 in the HIPAA Administrative Simplification Regulation Text.

While the effective date of the Final Rule was March 26, 2013, the actual compliance date for most of the Rule's provisions was September 23, 2013.

Covered Entities should revise their Business Associate Agreements (BAA) to reflect the new requirements under the Final Rule. Covered Entities must enter into new BAAs or modify existing BAAs by September 23, 2013. Existing BAAs entered into on or before January 25, 2013 and have not been modified after March 26, 2013 will not have to be updated until September 23, 2014. (American Academy of Family Physicians [AAFP]) (See also Deadline To Update HIPAA Materials Is September 23, 2013 – Martindale-Hubbell, Montgomery McCracken, McGuireWoods, Sherman & Howard, and INFORMATION LAWGROUP)

As a "Covered Entity" under the HIPAA Security Rule, a good first step in becoming HIPAA compliant is to conduct a network risk analysis to determine if your technology, and related policies and procedures, rise to the standards put forth under the Security Rule. Another good prerequisite to compliance is a review of your vendors who fall under the title of "Business Associate."


What Is A Business Associate

According to the U.S. Department of Health & Human Services, a Business Associate is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information. The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate. A business associate may use or disclose protected health information only as permitted or required by its business associate contract or as required by law. A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule. [emphasis added]

 

What To Do Now

ARA Logo

Do you know what your organization needs to do in order to become technologically HIPAA compliant, either as a Covered Entity or Business Associate? Covered Entities, such as physicians and healthcare clinics, and Business Associates (e.g., vendors like Allison Royce) must come into compliance with the HIPAA privacy and security requirements.


Allison Royce of San Antonio strives to ensure, as a Business Associate and as an IT Service Provider, that all of the services we offer are in compliance with HIPAA. Take a moment to review our services and contact us. We are ready to discuss your current network configuration and related organizational practices.


 

 

 

 

Important and Helpful Links

 

Important Deadlines from Centers for Medicare & Medicaid Services

Compliance may not be as complicated as you think, but it is a good idea to begin considering how, when and where your organization comes into contact with Protected Health Information (PHI).

September 23, 2013 While the effective date of the Final Rule was March 26, 2013, the actual compliance date for most of the Rule's provisions is September 23, 2013.

Covered Entities should revise their Business Associate Agreements (BAA) to reflect the new requirements under the Final Rule. Covered Entities must enter into new BAAs or modify existing BAAs by September 23, 2013. Existing BAAs entered into on or before January 25, 2013 and have not been modified after March 26, 2013 will not have to be updated until September 23, 2014.

December 31, 2013 Certification, Part 1 – Health plan must certify data and information systems are in compliance with applicable standards and operating rules for:

  • eligibility for a health plan
  • health claim status
  • health care electronic funds transfers (EFT) and remittance
    advice

January 1, 2014 Effective date of operating rules for:

  • health care electronic funds transfers (EFT) and remittance
    advice

January 1, 2014 Effective date of standards for:

  • electronic funds transfers (EFT)

October 1, 2014 ICD-10 CM and ICD-10 PCS

November 5, 2014 Health Plans (Controlling Health Plan or CHPs) must obtain Health Plan Identifier (HPID)-small health plans have until November 5, 2015

December 31, 2015 Certification, Part 2 – Health plan must certify that its data and information systems are in compliance with applicable standards and operating rules for:

  • health claims or equivalent encounter information
  • enrollment and disenrollment in a health plan
  • health plan premium payments
  • referral certification and authorization
  • health claims attachments

January 1, 2016 Effective Date of operating rules for:

Effective Date of standard and operating rules for:

  • health claims or equivalent encounter information
  • enrollment and disenrollment in a health plan
  • health plan premium payments
  • referral certification and authorization
  • health claims attachments

November 7, 2016 Covered Entities must use HPID to identify health plans in transactions