HIPAA Blog Posts: HIPAA Business Associates
"So the education to help them understand their [new HIPAA] obligations, and to work with them to identity the bigger risk areas, and to create a corrective action plan or a remediation schedule - that's going to be an ongoing conversation for us. That is something that will never go away," Jeff Cobb, CISO at Capella Healthcare. The Tennessee-based health system, which operates 14 acute care and specialty hospitals in six states, deals with many smaller business associates that lack a mature security program
Are Your BAs HIPAA Compliant? "Think before you share, part III: is my data secure?" Foley & Lardner LLP Peter I. (Pete) Sanborn
"The general principle is to ensure the breadth and depth of the vendor’s security obligations are aligned with the sensitivity of the data. Additionally, the agreement should specify the vendor’s obligations in the event of a breach (both in terms of reporting/investigating the breach and in terms of paying for the downstream costs/expenses associated with notifying the impacted individuals), and your rights during the agreement to audit the vendor’s compliance with the security requirements.'
Time's up! Compliance deadline for HIPAA/HITECH final rules has arrived Blank Rome LLP Nicholas C. Harbist, Jennifer J. Daniels and Angela M. Guarino
"Relationship Review—Have you reviewed your relationship with vendors to ensure compliance with the Final Rules?'
Whether it is confusion or denial there are a lot of organizations that don't seem to understand that they are business associates and therefore are required to comply with HIPAA. The HITECH Act was passed in 2009 and amended HIPAA to include business associates, yet in 2013 we still get calls from people wanting to know if they are a business associate. Partually this is due to the fact that in 2010 HHS announced that they were delaying enforcement until the rules were published.
October 1, 2013 will be the beginning date for HIPAA audits of business associates. This is the beginning of the 2014 fiscal year for HHS and they will start setting up unannounced audits of business associates says Rachel Seeger, a spokesperson for the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA.
In the past a covered entity was not liable for breaches caused by their business associates if they had a BA agreement in place and did not know of a pattern of non-compliance. That has changed under the Omnibus Rule if the business associate is deemed an agent of the covered entity.
Ignorance of the HIPAA HITECH Omnibus Rule is rampant and can cause a lot of pain. We have developed a 10 question checklist to let you evaluate whether you are compliant.
In a recent survey, less than a month before the HIPAA HITECH Omnibus goes into effec,t a majority of business associates are unaware of the new requirements. Covered entities need to ask some questions, find out who is non-compliant. and ask them to remediate these risks. If they can't or won't they need to sever the business relationship.
Tick, tick, tick … time is running out for HIPAA Omnibus Rule compliance Davis Wright Tremaine LLP Rebecca L. Williams, Adam H. Greene and Amy L. Kauppila
Business associates should consider:
- Performing a risk analysis and risk management evaluation;
- Developing security policies and procedures consistent with the Security Rule;
- Updating breach notification policies;
- Establishing processes for verifying the business associate’s compliance with its BAA obligations; and
- Developing an approach for negotiating BAAs (for both covered entities and subcontractors) including updating BAA templates.
The deadline for compliance with the HIPAA Omnibus Rule is September 23, 2013. Are you ready? Greenberg Traurig LLP Eleanor (Miki) A. Kolton