By Jack Anderson
June 19, 2013
There is still a lot of confusion, ignorance, and denial happening in the HIPAA arena. Business associates ((BA) are not being held to account by their covered entities (CE). So we have BAs that don’t know they are BAs, BAs who know they are BAs but deny it, and BAs who haven’t yet acknowledged that they are responsible for the HIPAA compliance of their sub-contractors, who by the way are also BAs.
Now that I have come close to the famous “There are known knowns; there are things we know that we know. There are known unknowns; that is to say, there are things that we now know we don’t know. But there are also unknown unknowns – there are things we do not know we don’t know.” Former United States Secretary of Defense, Donald Rumsfeld, let me try to clarify the situation.
If a CE shares PHI with someone, in general that person or company is a BA and the CE has a responsibility to get “satisfactory assurances” that they are compliant. That BA in turn has the same responsibility with any company or person has access to that data. If anyone in that chain breaches everyone in the chain will suffer. It therefore makes sense to put in place systems to measure the compliance of each participant and hold them accountable.
If you are a CE this is difficult if you don’t have tools in place to efficiently and cost effecively monitor your BAs. For BAs having to provide proof to many different CEs is costly and inefficient. BA Tracker bridges this gap by giving the CE a place to store compliance information about their BAs. This information has been collected for them by BA Tracker. If the BA uses the tools from Compiance Helper they are able to display their on-going compliance to all of their CEs through the Compliance Meter(tm).
Here is the complete articles:
HIPAA in the cloud: storing PHI may make you a business associate under HIPAA, Winston & Strawn LLP, Linda Lemel Hoseman and Liisa M. Thomas
The recently-promulgated final regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) take a broader view of entities that are considered business associates and require additional contracting between business associates. One somewhat surprising “clarification” under these broader rules is that storage providers, including cloud-based storage providers, can be considered business associates of covered entities or other business associates with which they do business. As such, in order to comply with HIPAA, covered entities and business associates may need to enter into business associate agreements with these storage providers. These rules provide that if an entity has ongoing custody of protected health information (“PHI”) under HIPAA, then the entity must comply with HIPAA’s requirements even if the entity does not actually access the stored materials that contain the PHI. The rules distinguish between entities that have ongoing custody of PHI and those that act as mere conduits of PHI (such as the mail service) based on the transitory nature of the PHI that flows through such a conduit. One point on which additional guidance is expected is whether an organization that stores encrypted data without a key to access the stored data is carved out from the business associate definition.
TIP: It is important for covered entities and business associates to identify and properly contract with their business associates to help ensure that protected health information is properly treated and protected as required under HIPAA. In addition, it is important for entities that store PHI to conduct an analysis to determine if they are business associateand thus directly responsible for complying with a host of HIPAA requirements.