• Top Five Resolutions for Covered Entities and Business Associates in 2015
  • March 5, 2015 | Authors: Jenna K. Shedd; Lawrence J. Tabas
  • Law Firm: Obermayer Rebmann Maxwell & Hippel LLP - Philadelphia Office
  • The New Year is here. It is time to make those 2015 resolutions, and not just those for getting fit and healthy. Resolve now to improve your organization’s compliance with the Health Insurance Portability and Accountability Act (“HIPAA”).

    HIPAA requires entities that create, receive, maintain, or transmit protected health information (“PHI”) to protect that PHI from unauthorized access, use, or disclosure. Entities that must comply with HIPAA include covered entities (defined as health care providers, health plans, and health care clearinghouses) and business associates (entities that perform services on behalf of a covered entity and handle PHI on behalf of that covered entity).

    Privacy and security risks to PHI are constantly evolving. The increasing use of digital devices (such as smartphones and tablets) has increased the risk to PHI and made it more complicated for covered entities and business associates to police the security and privacy of PHI. There is no better time than the present to review and refresh your organization’s compliance with HIPAA. Below is a list of our suggested top five resolutions for covered entities and business associates in 2015.


    Covered entities and business associates are required to conduct a risk analysis, and they are required to regularly review and update that risk analysis. This is not a new requirement. However, many covered entities and business associates have yet to begin or complete a risk analysis. In the event of a HIPAA breach, failure to conduct and regularly review and update a risk analysis will most likely lead to substantial penalties and negatively impact your organization’s reputation. Now is the time to conduct a risk analysis. If your organization already has a risk analysis, make a plan to revisit that risk analysis and update it to account for any new risks to your organization. For additional background information on conducting a risk analysis, see this information sheet from HHS.


    Once your organization has conducted a risk analysis, your organization must decide how it will address the risks identified by that risk analysis. In order to do so, your organization must develop a risk management plan. A risk management plan prioritizes the order in which your organization will address those risks identified by the risk analysis, and it sets forth a structure for implementing security measures to reduce risk. Like your risk analysis, your risk management plan should be reviewed and updated regularly to address new risks. For additional background information on developing and implementing a risk management plan, see this information sheet from HHS.


    Your organization might have very extensive and detailed policies and procedures focusing on HIPAA compliance. However, if employees are not trained and retrained on the details of these policies and procedures, then the policies and procedures are meaningless. All employees that have access to PHI must be trained and retrained. Privacy and security officers must be trained and retrained as they are responsible on a daily basis for ensuring that your organization is in compliance with HIPAA. Make a resolution to refresh the knowledge of your employees regarding HIPAA and your organization’s policies and procedures. The goal is that this training will help to prevent breaches and provide employees with an action plan in the event of a breach.


    The use of mobile devices (such as smartphones and tablets) is on the rise. Therefore, your organization needs to decide how it will handle lost/stolen mobile devices that contain PHI or other sensitive, confidential, or proprietary information. Although your organization may address lost/stolen mobile devices in a general breach notification policy, your organization may wish to consider the development and implementation of a policy and procedure specific to lost/stolen mobile devices. For example, such a policy may include specific instructions on locking and remotely wiping mobile devices in the event of a breach.


    Business associates must comply with HIPAA. Therefore, your organization should ensure that your business associates are doing just that. Take the time in 2015 to inventory your business associate agreements and update any agreements as necessary. Keep a list of all business associates and the expiration dates of all business associate agreements. Update this list regularly. All business associate agreements were required to be updated as of September 23, 2013 or September 22, 2014 in some circumstances. These deadlines have long since passed. If your agreements have not been updated, now is the time to do so.

    Note: This post only contains a suggested list of resolutions. Resolutions will vary based on your organization’s needs and the current state of your organization’s compliance with HIPAA.