Health Information Management

Answers to HITECH questions

HIM-HIPAA Insider, January 25, 2010

Last week, we shared some of the questions posed during the January 14 HCPro, Inc., audio conference, “Business Associate Action Plan: Comply with HITECH by February Deadline.”

We tracked down answers to two of the questions:

Q. I oftentimes see a timeframe listed in BA agreements, such as “Business associate must report any breaches to Covered Entity within five days of discovery.” Are there any such timelines required by HIPAA or HITECH, other than I believe the CE has 60 days to report the breach?
A. According to HITECH, a “business associate of a covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, following the discovery of a breach of such information, notify the covered entity of such breach. Such notice shall include the identification of each individual whose unsecured (PHI) has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during suchbreach.”

Q. If a business associate (BA) with a signed business associate agreement (BAA) is responsible for a privacy breach related to PHI, who would be responsible for the harm threshold risk analysis and breach notification, the CE or the BA?
A. According to HITECH, the covered entity is responsible for notifications in a response to a breach. In terms of risk analysis, ultimately, it’s the covered entity’s duty to determine the harm threshold of a breach, but BAs can help by conducting their own analysis, says Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal, HIPAA Boot Camp, in Casa Grande, AZ.

Most Popular