Maintaining the privacy and security of patient information is part of the foundation of providing good health care. But complying with regulations under the Health Insurance Portability and Accountability Act (HIPAA) presents daunting challenges. The stakes for compliance are higher than ever, with random government audits, tougher investigations, breach notification obligations, and threat of hefty financial penalties.

Davis Wright Tremaine offers toolkits for Covered Entities, Business Associates, Financial Institutions, and Cloud Providers.

For Covered Entities

To help providers overcome the challenges of HIPAA compliance and stay on top of evolving rules and requirements, Davis Wright Tremaine developed the HIPAA Audit Toolkit for Covered Entities, which has been updated for 2019. Used by some of the country’s most sophisticated and respected health care systems, the Toolkit offers a cost-effective means for HIPAA covered entities to assess vulnerabilities in their privacy, security, and breach notification programs, move toward solutions, and reduce the legal risks of a government HIPAA investigation or audit. The 2019 edition has been updated with recent information about the Office for Civil Rights audit program, including the revised audit protocol and recent guidance on topics such as an individual’s right of access and ransomware.

The Toolkit includes the following, all of which have been updated to reflect the HIPAA Omnibus Rule:

  • A Privacy Compliance Assessment Tool, including relevant portions of the HHS Office for Civil Rights audit protocol
  • A Breach Notification Compliance Assessment Tool, including relevant portions of the audit protocol
  • A Security Compliance Assessment Tool, including relevant portions of the audit protocol, providing a legal review of security efforts
  • Checklists for notices of privacy practices, business associate agreements, authorizations, data use agreements, group health plan documents, and breach notices
  • Information about HHS HIPAA audits and enforcement, including sample 2019 data requests
  • A copy of the current HIPAA regulations
  • An hour of legal consultation with a DWT attorney of your choice to analyze the results of your assessment (subject to execution of an engagement letter and conflicts check)

For Business Associates

If your organization handles health information on behalf a health care provider or health plan, either directly or indirectly, then it likely qualifies as a business associate under HIPAA. This means that you need to have a robust set of policies and procedures and supporting documentation, and be prepared for potential government audits or investigations. But where to begin?

Davis Wright Tremaine has created the HIPAA Audit Toolkit for Business Associates, a compliance tool designed to address the HIPAA privacy, security, and breach notification issues facing a variety of business associates. The Toolkit includes:

  • An overview of HIPAA, providing background on HIPAA and how it applies to business associates
  • A Privacy and Breach Notification Compliance Assessment Tool, which identifies potential compliance gaps and recommends best practices in areas such as uses and disclosures of protected health information and incident reporting
  • A Security Compliance Assessment Tool, providing a legal review of security efforts
  • Checklists for business associate agreements with customers, business associate agreements with vendors, HIPAA-compliant authorization forms, group health plan documents, and breach notices
  • A copy of the current HIPAA regulations
  • Information about HHS HIPAA audits and enforcement, including sample 2019 data requests
  • An hour of legal consultation with a DWT attorney of your choice to analyze the results of your assessment (subject to execution of an engagement letter and conflicts check)

For Financial Institutions

Financial institutions are often subject to HIPAA’s privacy, security, and breach notification requirements through a variety of services provided to health care providers and health plans. They have unique issues, sometimes subject to HIPAA as a health care clearinghouse, sometimes acted solely as a business associate to a health care provider or health plan, and sometimes exempt from HIPAA under Section 1179 of the Social Security Act.

Davis Wright Tremaine has created the HIPAA Audit Toolkit for Financial Institutions, a compliance tool designed to address the specific HIPAA privacy, security, and breach notification issues facing financial institutions. The Toolkit includes:

  • An overview of HIPAA and financial institutions, providing background on HIPAA and identifying how it potentially applies to a financial institution
  • A Privacy and Breach Notification Compliance Assessment Tool, which identifies potential compliance gaps and recommends best practices in areas such as uses and disclosures of protected health information, incident reporting, and designating as a “hybrid entity” to limit liability
  • A Security Compliance Assessment Tool, providing a legal review of security efforts
  • Checklists for business associate agreements with customers, business associate agreements with vendors, HIPAA-compliant authorization forms, and breach notices
  • A copy of the current HIPAA regulations
  • Excerpts of HIPAA regulatory commentary and guidance specific to financial institutions
  • Information about HHS HIPAA audits and enforcement, including sample 2019 data requests
  • An hour of legal consultation with a DWT attorney of your choice to analyze the results of your assessment (subject to execution of an engagement letter and conflicts check)

For Cloud Providers

The 2013 HIPAA Omnibus Rule clarified that an entity, such as a cloud service provider, is subject to HIPAA as a business associate when it maintains protected health information on behalf of a covered entity or another business associate. Cloud providers, however, face a unique set of HIPAA challenges. For example, depending on the type of cloud services provided, the cloud provider may not be able to identify the type of protected health information that it is maintaining, creating challenges in areas such as breach notification or accounting of disclosures.

Davis Wright Tremaine has created the HIPAA Audit Toolkit for Cloud Providers, a compliance tool designed to address the specific HIPAA privacy, security, and breach notification issues facing cloud providers. The Toolkit includes:

  • An overview of HIPAA and Cloud Providers, providing background on HIPAA and identifying how it potentially applies to a Cloud Provider
  • A Privacy and Breach Notification Compliance Assessment Tool, which identifies potential compliance gaps and recommends best practices in areas such as uses and disclosures of protected health information and incident reporting
  • A Security Compliance Assessment Tool, providing a legal review of security efforts
  • Checklists for business associate agreements with customers, business associate agreements with vendors, HIPAA-compliant authorization forms, group health plan documents, and breach notices
  • A copy of the current HIPAA regulations
  • Excerpts of HIPAA regulatory commentary and guidance specific to cloud providers
  • Information about HHS HIPAA audits and enforcement, including sample 2019 data requests
  • An hour of legal consultation with a DWT attorney of your choice to analyze the results of your assessment (subject to execution of an engagement letter and conflicts check)