By Jack Anderson
June 13, 2013
The window for staying in denial about your obligations as a business associate is closing.
First there is the expanded definition of a business associate: “Under the final Rule, Section (1)(i) was expanded to include any person that, on behalf of a covered entity, “creates, receives, maintains, or transmits protected health information for a function or activity regulated by [HIPAA] “, including claims processing or administration, data analysis, processing, or administration, utilization review, quality assurance, certain patient safety activities, billing, benefit management, practice management, and repricing.”
Secondly there are the expanded requirements: “As a result, Business Associates are now required to conduct a risk analysis to assess the nature and volume of electronic PHI (“ePHI”) and the risks of unauthorized use or disclosure of PHI. They must implement administrative, technical, and physical safeguards appropriate to the risks and vulnerabilities identified in the risk analysis.”
Finally, there are the new downstrean responsibilities: “The modified HIPAA Rules now require a Business Associate to obtain satisfactory assurances from a subcontractor that the subcontractor will properly safeguard information if the subcontractor is to create, receive, maintain, or transmit ePHI on behalf of the Business Associate. This requires that a Business Associate enter into a Business Associate agreement with its subcontractors and directly places the burden of supervising subcontractors on the Business Associate, rather than the Covered Entity.”
BA Tracker is a useful tool not only for covered entities to manage their business associates, but also for business associates to manage their sub-contractors.
www.compliancehelper.com/batracker
Here is the link to the complete article: http://www.mofo.com/files/Uploads/Images/130604-HIPAA.pdf#page=1