Health Information Management

Many business associates not ready to comply with HIPAA

HIM-HIPAA Insider, June 29, 2009

Since the Health Information Technology for Economic and Clinical Health Act passed Feb. 17, we've heard a lot of banter about business associates (BA).

BAs must comply directly with the HIPAA Security Rule and components of the Privacy Rule by February 18, 2010.

One HIPAA privacy and security officer told us in a focus group she's concerned because it's not clear what a covered entity's role should be as far as educating BAs. (Technically, covered entities have no obligation to train BAs).

That same HIPAA officer is working on the final draft of a BA contract, and her facility is unsure whether it will have one standard contract or individual language for each BA.

It makes sense for a covered entity to develop a template, and then only change some of the details; in particular, the description of what uses and disclosures of PHI the BA is permitted, according to Kate Borten, CISSP, CISM, president of The Marblehead Group and a HIPAA privacy and security expert.

Read the full report by HealthLeaders Media’s Dom Nicastro.

Most Popular