HIPAA Blog Posts: HIPAA Business Associates
“Providers should identify all of their vendors with access to personal health records and ensure they are protecting it according to the new HIPAA rule.” Jorge Rey, an associate principal and the director of information security and compliance for Kaufman, Rossin
Business Associate agreements must contain provisions for compliance with the Security Rule and probably the Privacy Rule as well and they must require that the business associate have BAAs with their sub-contractors, says Drinker Biddle & Reath LLP, in an article titled "Business associate provisions under HIPAA Omnibus Rule."
Plan sponsors should note that the Omnibus Rule expands the definition of business associate and those parties subject to HIPAA’s Privacy and Security Rules and applies HIPAA’s civil and criminal penalties directly to business associates. Under the Omnibus Rule, business associates, including subcontractors of business associates, are directly liable for compliance with the Privacy and Security Rules if they create, receive, maintain or transmit PHI on behalf of the company or the plan. Such business associates for group health plans may include: Brokers; Consultants; Attorneys, Third-party administrators; and Health information organizations, e-prescribing gateways and other entities that transmit protected health information or access PHI.
"Of greatest significance to Business Associates is the requirement to implement administrative, physical, and technical safeguards to comply with the HIPAA Security Regulations as if they were Covered Entities." Business associate HIPAA compliance, Lathrop & Gage LLP, Stacy N. Harper
Covered entities need "satisfactory assurances" that their business associates are HIPAA HITECH compliant and business associate need to be able to provide proof of on-going compliance. BA Tracker helps both.
HIPAA allows the Business Associate to take into account their size and complexity when deciding how to comply with the Security Rule.
"For instance, in deciding which security measures to implement, a BA may take into consideration its size, capabilities, the costs of the specific security measures, and the operational impact. BAs should note that as part of their compliance with the administrative safeguards, BAs must perform their own risk analyses, establish a risk management program, and designate a security officer, as well as have in place written policies and procedures, conduct employee training, and document compliance with the requirements."Changes affecting who is a business associate and new business associate obligations." Polsinelli Shughart PC, Thomas P. O'Donnell, Erin Fleming Dunlap, Rebecca L. Frigy and Matthew J. Murer
The owners of a medical billing practice, a business associate, and four pathology groups, covered entities whose patient information was all improperly disposed, will collectively pay $140,000 to settle the claims. The settlement agreement requires each pathology group to vet all business associates, ensuring they have a written information security plan and the practices described are sufficient to comply with the groups’ obligations to protect personal information and PHI. The groups must also execute business associate agreements before disclosing any PI or PHI to service providers.
HIPAA Business Associates: Waiting Is No Longer An Option, Vorys Sater Seymour and Pease LLP J. Liam Gruzs
HIPAA business associates who have not been paying attention since HITECH need to take notice. The timeframe for compliance is less than nine months. For those business associates who had been hoping for relief in the Final Rule (or simply have had their head in the sand for four years), waiting is no longer an option.HIPAA final rule clarifies business associate obligations Vorys Sater Seymour and Pease LLP, J. Liam Gruzs January 28 2013
"Potential liability concerns and fear of being held responsible for a subcontractor’s mistakes in a breach will be enough to change the BAA decision-making process for healthcare organizations", according to Dianne Bourque, partner at Mintz Levin and HIPAA expert.
Small Firms, Big HIPAA Troubles? Business Associates Need to Get Serious About Security, By Marianne Kolbasuk McGee, January 29, 2013. This is a very forthright and timely call to action for not only business associates, but also their covered entities. Fortunately there are cost effective and efficient solutionss for both With the SaaS model templates of needed policies, procedures, and forms can be accessed and edited in a step by step process overseen by a privacy and security expert. The compliance activities are then measured and delivered through the Compliance Meter(tm), allowing the covered entity to monitor the on-going compliance of their business associates.
Here is the link to the article: