• E-mail
• Print
• RSS

What are our obligations for monitoring business associates for HIPAA compliance?

HIPAA Weekly Advisor, June 21, 2004

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

The goal for your covered entity when monitoring a business associate's handling of PHI is to have accountability without increasing exposure to liability. Although covered entities do not have a duty to monitor their associates, there is a small body of case law that will hold the entities or providers liable for failure if they aggressively monitor these relationships.

If you are overly involved with a business associate when there is a breach, or if you are overly aggressive in monitoring what your business associate does, then you're opening yourself up to that business associate being characterized as your agent. You could be held liable for its actions.

A covered entity is required to take action when it has knowledge of a breach such as when a business associate reports an unauthorized use or disclosure of protected information.

Organize key information about business associates relationships in one place and use a highly organized, systematic approach to handling access to information or accounting for disclosure requests that involve information maintained by a business associate. Require quarterly reports from business associates on specific information.

Editor's note: This question was answered by Edward F. Shay, Esq., of the firm Post & Schell in Philadelphia, for the HCPro Inc. newsletter, Briefings on HIPAA. For more information or to order, click here.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive