Health Information Management

Sneak peek: White paper examines HIPAA and business associates

HIM-HIPAA Insider, June 22, 2009

Editor’s note: The following is an excerpt from the soon-to-be published HCPro, Inc., white paper, Business Associates and HIPAA: What BAs need to know to comply with HIPAA Privacy and Security Rules

The Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law February 17, requires that BAs:

  • Comply with the use and disclosure requirements of the HIPAA Privacy Rule (Section 13404 of the HITECH Act) and include those terms in the contract with the covered entity
  • Notify the covered entity of any individual whose unsecured PHI has been inappropriately released or obtained
  • Ensure that the notification meets the following provisions of Section 13402 of the HITECH Act:
  • A breach is considered discovered on the first day a covered entity or BA knows or should have known about it
  • BAs must notify covered entities of any breaches and provide detailed information about the breach, along with the names and contact information of individuals involved
  • Covered entities and BAs must notify individuals about a breach as soon as possible, but no later than 60 days following discovery of the breach
  • Delays in notification must include evidence demonstrating the necessity of the delay

Most Popular