NAID can help members address questions in the sale process
January 22, 2013
Sometimes, though not enough as far as I am concerned, I am asked to use NAID’s pulpit and expertise to help members in sales situations. This usually happens when a member needs to coax a client into recognizing their responsibilities or provide some type of proof statement correcting a misconception.
Having a letter from NAID correcting a client’s misconception can work wonders in tough situations. Whether it is a prospect questioning why they need to shred, what particle size to specify, or how NAID Certification factors into PCI compliance, a response from NAID can be very helpful. In fact, I am happy to provide such responses on any records information management issue where correct information is all that’s needed.
I do have one note of caution for members requesting such help. If the customer is arguing a point simply to justify not doing business with you, no letter is going to help. Such a letter can make them more defiant. You may have proved your point, but you will not end up with the business.
The letter below resulted when a member asked me to clarify a health care client’s need for a contract. My understanding was that a competitor was telling the client they did not need one, thereby putting customers at risk. When the member came to me for clarification, I provided the following response:
Your question about contracts is a good one and one that is often fraught with misconceptions. It is also especially timely, since the U.S. Department of Health and Human Services (HHS) just released their final ruling on how the Health Information Technology for Economic and Clinical Health (HITECH) Act will amend the Health Insurance Portability and Accountability Act (HIPAA).
First, while some data protection regulations such as the FACTA Final Disposal rule are vague on the requirement for a contract, HIPAA is not. From the beginning, HIPAA has required covered entities (CE) – which are the health care organizations – to have a written contract with any third party vendor that will have potential access to protected health information (PHI). Within HIPAA, these third parties are known as business associates (BA) and the required contract is referred to as a Business Associate Agreement (BAA).
The required BAA serves a number of purposes, as described within HIPAA. First, it contains language linking the BA to the Security Rule and Privacy Rule, which are two of the five rules that form the backbone of HIPAA. In addition, the BAA should clearly delineate the policies and procedures of the BA, so that any deviation from such can be monitored and/or documented.
Also, the recent release of the HITECH Final Rule amends HIPAA in many ways, some of which apply to the BAA. Most significantly, HITECH includes a breach notification requirement. Since this is new, HITECH also requires that a BAA includes language where the BA verifies they understand their responsibility to notify the CE of any potential data breach. Realizing that this would require a new BA to be executed, HITECH now specifically requires a new contract be written with such verification included. The deadline for the implementation of this language has already passed.
HITECH also includes a far more serious provision that needs to factor into this discussion. HITECH Final Rule directs HHS to impose mandatory investigations and fines where a HIPAA violation rises to the level of “willful neglect.” There is no doubt in my mind that a health care organization’s failure to have a properly executed contract, as clearly required by the law, would rise to that level. Should HHS or the state attorney general learn of a health care organization not having a BAA in place, the law would require an investigation and the CE could get fined between $10,000 and $50,000 per incident (in this case, an incident would be for every BA that did not have a BAA).
Let me know if you need further information.
Bob Johnson, CEO
National Association for Information Destruction, Inc.