HIPAA Blog Posts: HIPAA Business Associates

HIPAA Omnibus: Educating Vendors A CISO Describes Challenges with Smaller Business Associates

 "So the education to help them understand their [new HIPAA] obligations, and to work with them to identity the bigger risk areas, and to create a corrective action plan or a remediation schedule - that's going to be an ongoing conversation for us. That is something that will never go away," Jeff Cobb, CISO at Capella Healthcare.  The Tennessee-based health system, which operates 14 acute care and specialty hospitals in six states, deals with many smaller business associates that lack a mature security program

Continue reading…

Are Your BAs HIPAA Compliant? "Think before you share, part III: is my data secure?" Foley & Lardner LLP Peter I. (Pete) Sanborn

 "The general principle is to ensure the breadth and depth of the vendor’s security obligations are aligned with the sensitivity of the data. Additionally, the agreement should specify the vendor’s obligations in the event of a breach (both in terms of reporting/investigating the breach and in terms of paying for the downstream costs/expenses associated with notifying the impacted individuals), and your rights during the agreement to audit the vendor’s compliance with the security requirements.'

Continue reading…

Time's up! Compliance deadline for HIPAA/HITECH final rules has arrived Blank Rome LLP Nicholas C. Harbist, Jennifer J. Daniels and Angela M. Guarino

Time's up! Compliance deadline for HIPAA/HITECH final rules has arrived, Blank Rome LLP, Nicholas C. Harbist, Jennifer J. Daniels and Angela M. Guarino

 "Relationship Review—Have you reviewed your relationship with vendors to ensure compliance with the Final Rules?'

Continue reading…

Am I a Business Associate under HIPAA HITECH?

Whether it is confusion or denial there are a lot of organizations that don't seem to understand that they are business associates and therefore are required to comply with HIPAA.  The HITECH Act was passed in 2009 and amended HIPAA to include business associates, yet in 2013 we still get calls from people wanting to know if they are a business associate.  Partually this is due to the fact that in 2010 HHS announced that they were delaying enforcement until the rules were published.

Continue reading…

HIPAA Audits of Business Associates; October 1, 2013?

October 1, 2013 will be the beginning date for HIPAA audits of business associates.  This is the beginning of the 2014 fiscal year for HHS and they will start setting up unannounced audits of business associates says Rachel Seeger, a spokesperson for the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA.

Continue reading…

Covered Entities Liable for Their Business Associates under HIPAA Omnibus Rule

 In the past a covered entity was not liable for breaches caused by their business associates if they had a BA agreement in place and did not know of a pattern of non-compliance.  That has changed under the Omnibus Rule if the business associate is deemed an agent of the covered entity.

Continue reading…

Compliance Checklist HIPAA HITECH Omnibus Rule

 Ignorance of the HIPAA HITECH Omnibus Rule is rampant and can cause a lot of pain. We have developed a 10 question checklist to let you evaluate whether you are compliant.

Continue reading…

Majority of Business Associates Unfamiliar with HIPAA Omnibus Rules

 In a recent survey, less than a month before the HIPAA HITECH Omnibus goes into effec,t a majority of business associates are unaware of the new requirements.  Covered entities need to ask some questions, find out who is non-compliant. and ask them to remediate these risks.  If they can't or won't they need to sever the business relationship.

Continue reading…

Tick, tick, tick … time is running out for HIPAA Omnibus Rule compliance Davis Wright Tremaine LLP Rebecca L. Williams, Adam H. Greene and Amy L. Kauppila

 Business associates should consider:

  1. Performing a risk analysis and risk management evaluation;
  2. Developing security policies and procedures consistent with the Security Rule;
  3. Updating breach notification policies;
  4. Establishing processes for verifying the business associate’s compliance with its BAA obligations; and
  5. Developing an approach for negotiating BAAs (for both covered entities and subcontractors) including updating BAA templates. 

Continue reading…

The deadline for compliance with the HIPAA Omnibus Rule is September 23, 2013. Are you ready? Greenberg Traurig LLP Eleanor (Miki) A. Kolton

" Implementation or review of an existing HIPAA Privacy Policy Manual, including policies and procedures and forms such as the NPPs and releases of health information form;  Preparation of a new or revised BAA form (which includes, but is not limited to, addressing downstream contractors);

Implementation or review of an existing HIPAA Security Policy Manual, including guidance for performing a risk assessment and model polices; and
Implementation of workforce training."

Continue reading…