Health Information Management

Tips to get your business associates to comply with HIPAA

HIM-HIPAA Insider, July 27, 2009

Last week, HIPAA Weekly Advisor gave your business associates (BAs) tips on how to  comply with the HIPAA Security Rule beginning February 18, 2010.

That mandate is part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law by President Obama February 17, 2009.

Here are two more tips you can use when preparing for the new requirements:

Don't rewrite the entire contract. "The changes to the BA contracts should be minimal," says Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR. Apgar suggests including a new short statement or paragraph indicating that the BA must now comply with the HIPAA security rule and the use and disclosure provisions of the privacy rule.

Add breach notification language to BA contracts. The language should require the BA to notify the covered entity within five days of a breach, Apgar says. This aligns with the new California breach notification requirement and addresses the question of when the 60-day notification clock starts. "Also, I would recommend adding language requiring that the BA pay the cost of notification, which could get rather expensive if the breach includes a significant number of individuals," Apgar says.

Editor's note: These tips were taken from the HCPro, Inc. white paper, Business Associates and HIPAA: What BAs need to know to comply with HIPAA privacy and security rules. Download a free copy of the full white paper. Sign up for HCPro, Inc.'s July 29 audio conference, Business Associates and Covered Entities: Adapt Contracts to Comply With New HIPAA Law.

These tips also appeared in a HealthLeaders Media article by Dom Nicastro.

Look for more tips in next week’s HIPAA Weekly Advisor.


Most Popular