Do you know who has control of the protected health information (PHI) for your patients? You should because anyone in the "chain of trust" of that data can also be the one that triggers a HIPAA violation and subsequent fine.
The Federal Register, in relation to the HITECH Act, provides that "a person becomes a business associate by definition, not by the act of contracting with a covered entity or otherwise. Therefore, liability for impermissible uses and disclosures attaches immediately when a person creates, receives, maintains, or transmits protected health information on behalf of a covered entity or business associate and otherwise meets the definition of a business associate." (78 Fed. Reg. 5566, 5598 (Jan. 25, 2013)). This means that the status of "business associate" is not conferred by a Business Associate Agreement (BAA) but, rather, the designation is presumed by action in relation to PHI.
Hence, when any entity is involved in creating, receiving, maintaining, or transmitting PHI in relation to your medical practice, compliance with all of the HIPAA Security Standards is mandatory.
A good place to start is with the requisite policies and procedures. As is the case with most items, not all policies and procedures are created equally. They must be specific to that organization, using the Code of Federal Regulations (CFR) standards as guidelines. After all, what good is it to re-write the section if there is no application of the premise? Worse, the organization would not know what do to in the event of a disaster, breach, or unintentional disclosure of information.
As it relates to the bottom line of any organization, including a physician's practice, compliance can reduce legal risk and fines. One such area is civil monetary penalties (CMPs). With the passage of the HITECH Act and the Omnibus Rule, a significant change was made to 42 CFR § 160.402 (c), which addresses liability for CMPs. This relates to the Federal Law of Agency.
Under HITECH, the provision of "unanticipated and unknown" actions between contracted agents was removed. Now, an entity, whether they are a covered entity, business associate, or subcontractor may be liable for another's acts. It is also important to define the parameters of control between the parties and make sure they are true independent contractors. Therefore, there is a strong incentive to perform adequate due diligence and make sure that everyone in the "chain of trust" is compliant with the law. Performing due diligence in relation to these two variables can significantly reduce the risk of a CMP for your medical practice.
Another way to reduce out-of-pocket expenses as a liability is to purchase cybersecurity insurance. Although an additional operating expense, it could be valuable in terms of reducing overall liability. And, some contracting entities require it.
In sum, it comes down to compliance and due diligence. As I have reiterated before, "an ounce of prevention is worth a pound of cure." So, think of compliance and due diligence as "preventative medicine" for HIPAA!