What are our duties, if any, if we believe that one of our business associates has misused PHI?
HIPAA Weekly Advisor, May 23, 2003
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q: What are our duties, if any, if we believe that one of our business associates has misused PHI?
A: The regulations require that a covered entity take steps to cure the breach or end the violation when it knows of a pattern of activity or practice that constitutes a material breach or violation of the business associate obligations under the contract. A covered entity is not responsible or liable for the actions of its business associates.
If such steps are unsuccessful, the covered entity must
- terminate the contract, if possible
- report the problem to HHS, if the contract cannot be terminated
HHS commentary in the privacy rule notes that "knowing" means a covered entity has substantial and credible evidence of a violation. HHS also notes that although this standard relieves the covered entity of the need to actively monitor its business associates, a covered entity nonetheless is expected to investigate when they receive complaints or other information that contain substantial and credible evidence of violations by a business associate, and it must act upon any knowledge of a violation.
HHS does not have the statutory authority to hold business associates liable under the regulations.
Editor's note: Brought to you by attorneys Marty Baxter and Gretchen McBeath at Bricker and Eckler, LLP and The Quality Management Consulting Group, Ltd.. E-mail: mbaxter@bricker.com or gmcbeath@bricker.com
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- HIPAA Q&A: Level of encryption needed for email
- QA:Coding multiple initial infusions
- News and briefs: Oklahoma Osteopathic Association against residency bill change
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- CMS has reformulated payments for some bilateral procedures
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- Hospitals are not bound by InterQual criteria for determining patient status
- ED-to-inpatient transfers are flawed with safety gaps
- Searched