Health Information Management

TIP: Establish safeguards to prevent a breach

HIM-HIPAA Insider, November 30, 2009

Editor’s note: This is the second in a series of tips in HIPAA Weekly Advisor about preventing breaches. HHS on August 19 released its interim final rule on breach notification of unsecure protected health information (PHI). The PHI breach notification regulations took effect September 23. However, HHS will not enforce the rule until February 22, 2010.

Andrew E. Blustein, Esq., recommends covered entities (CE) discuss with vendors their responsibility for protecting patient information.

Vendors who are business associates (BAs) must enter into an agreement with the CE. Further, contact each vendor and discuss appropriate safeguards to protect patients’ PHI. If the BA is an agent of the CE, the CE is considered to have notice of the breach at the time the BA has notice. Make clear the lines of communication and responsibility between you and your BA.

Blustein is a partner and cochair of Garfunkel, Wild & Travis’ Health Information and Technology Group in Great Neck, NY; Hackensack, NJ; and Stamford, CT. This material is an excerpt from the HCPro, Inc., white paper, HHS Breach Notification Interim Final Rule. Form Your Incident Response Team, Set Policies and Procedures to Comply with New Federal HIPAA Regulations.”

Most Popular