TIP: Focus on business associates and contracts
HIPAA Weekly Advisor, September 13, 2010
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Covered entities (CEs) need to be certain that they have identified all of their business associates (BAs) and that CEs are bound by BA agreements, says John C. Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD.
HITECH made BAs subject to compliance with the HIPAA Security Rule and the use and disclosure provisions of the HIPAA Privacy Rule.
The July 8 proposed rule to modify the HIPAA privacy, security and enforcement rules makes it clear that HIPAA and HITECH apply to BAs and require them to comply with most of the same rules as CEs. If they haven’t done so already, CEs must review their BA agreements to ensure that they include appropriate language, says Phyllis A. Patrick, MBA, FACHE, CHC, cofounder and managing director of AP Health Care Compliance Group, which has offices in Pittsburgh and Purchase, NY.
CEs must ensure that their BA agreements emphasize the need for BAs to be up to date with the latest HITECH requirements pertaining to the HIPAA privacy and security rules and enforcement compliance/outcomes for noncompliance, says Parmigiani.
BAs need to make sure they have contracts in place for all of their CE customers. HITECH made BAs equally responsible for entering in to a BA contract with CE customers. BAs should ensure the contracts include language that puts the CE on notice that the BA is required to inform the CE if the CE appears to be violating the HIPAA privacy and security rules. If CEs don’t comply with the rules within a reasonable length of time, BAs are required to report CE violations to the Office for Civil Rights (OCR).
BA contracts should address the role of BAs in a privacy breach thoroughly. Address questions such as breach notification requirements and financial responsibility for responding to a breach, says Patrick. “All that needs to be spelled out,” she says.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Identify potential Medicaid RAC target areas
- HIPAA Q&A: Level of encryption needed for email
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- QA:Coding multiple initial infusions
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- What does case-mix index mean to you?
- Catch up on what's new with injections and infusions
- CMS has reformulated payments for some bilateral procedures
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched