Health Information Management

Questions on business associates and HITECH

HIM-HIPAA Insider, January 18, 2010

HCPro, Inc. hosted the January 14 audio conference, “Business Associate Action Plan: Comply with HITECH by February Deadline.”

The questions have not stopped rolling in since the show concluded.

For example:

  • I oftentimes see a timeframe listed in BA agreements, such as “Business associate must report any breaches to Covered Entity within five days of discovery.” Are there any such timelines required by HIPAA or HITECH?  (Other than I believe the CE has 60 days to report the breach)?
  • If a business associate (BA) with a signed business associate agreement (BAA) is responsible for a privacy breach related to PHI, who would be responsible for the harm threshold risk analysis and breach notification, the CE or the BA?
  • If a BAA is executed, can a CE still be held liable for civil money penalties (CMP) or potential criminal liability for breaches the BA caused and/or is responsible for?
  • Do the BA amendments under HITECH have to be mutually signed or can they be unilaterally sent out to BAs to be legally amended to existing BAAs? Is this acceptable?

We’ve posted these questions on our HIPAA Update blog. Weigh in, and see what your colleagues are saying.

Most Popular