Health Information Compliance Alert
Reader Questions Answered
PDF
Do we account for audit logs?
Question: We have begun auditing our computer systems. Through an exam of the audit logs, we discovered that some patient files were inappropriately accessed. Do those logs need to be included in our patients' accounting of disclosures?
Washington subscriber
Answer: "No," says John Parmigiani, senior VP for Consulting Services at QuickCompliance in Avon, CT. However, the log should facilitate your HIPAA security rule-mandated incident reporting system, he says. "If you determine nothing's been exposed, you're under no reporting requirements," adds Fred Langston, a principal with VeriSign in Seattle, WA.
Remember: If there has been exposure, the breach must be handled in accordance with your facility's defined policies and procedures for incidents, he confirms.
The Bottom Line: "Auditing flows into the incident response," Parmigiani explains. When a potential breach is discovered, the incident response team then investigates it and makes the necessary contacts, Langston concurs.
Any breaches must be reported, experts agree. "The key function of the reporting requirement is to make sure people whose information has been or may have been compromised have the ability to react," Langston reminds.
Who Signs Whose?
Question: We have decided to use a clearinghouse for our transactions. The company we've chosen has submitted a business associate agreement (BAA) for us to sign. Do we, as a covered entity, need to sign this agreement, or should we submit a BAA to them?
Nebraska subscriber
Answer: "This is an enormous problem, and there is no right answer," explains Kirk Nahra, an attorney with Wiley Rein & Fielding in Washington, DC. However, "your obligation is to make sure the right things are in the contract," he adds.
This focus on content is important because the "business associate agreement binds both parties," says attorney Kevin Troutman of New Orleans-based Fisher & Phillips.
Therefore, both your organization and your business associate must "negotiate until you reach a point where you feel the agreement covers everything and is fair to both sides," Troutman suggests.
The Bottom Line: Most of your business associates will have the minimum necessary information in their contracts. Make sure that you, as the customer, hammer out an agreement catered to your facility, Troutman advises.
However, no matter who initiates the contract, "if it is complete and has what the company cares about, then it's fine to sign it," Nahra asserts.
Health Information Compliance Alert
- Privacy:
4 Privacy Rule Mistakes You Can't Afford To Make - Sample Document:
Log YOUR Security Incidents Too!
Have you developed a procedure for how your organization will report security incidents? Don't stop [...] - Conferences:
Conference Calendar Corner
May's events represent the diversity in the healthcare industry. Take a look:
May 4 - 5 [...] - Security Compliance - Identity & Authenticity:
The Dynamic Duo
Use these tools to ensure your security rule compliance!
The HIPAA security rule not only demands [...] - Security Quiz:
Can You Control Your Users' Access?
Test your access control smarts!
1. Who should be able to see your patients' PHI?
a. All of [...] - Security Quiz Answers
1. B: Your facility must determine who can view and modify your patients' PHI. Some employees will [...] - The Third Degree:
Reader Questions Answered
Do we account for audit logs?
Question: We have begun auditing our computer systems. Through an [...] - Readers!
I'd like to provide you with even more of the valuable guidance you've come to [...] - Health Information News
Bush Calls For Healthcare IT Czar
In a speech to the American Association of Community Colleges [...]