HIPAA HITECH Confusion
Well I seem to have heard a full circuit of opinions in a week concerning the new, and not necessarily improved, relationship between covered entities and business associates. Coming from concerned, informed, intelligent people it clouds the issue even more for me. What is a relative newcomer to compliance like me to think? The answer is time will tell, but I am not sure how helpful that is to me or to CEs and BAs today.
In Googling around the web on this issue I find totally opposite opinions coming from various law firms, assciations, and experts. So even though you are probably not asking yourself "What would Jack do?" I will tell you anyway.
If I was a covered entity I would document who I have BA relationships with and whether they have access to PHI. I would inform all of them of the new standards and tell them that in order to business with me they need to be able to give me some proof that they are continuing to meet these standards. I would try and help them find an inexpensive, efficient, process for achieving this. And I would be sure to document these efforts to be sure I could prove that I did not engage in "willful neglect".
If I was a business associate I would find a way to not only get compliant but to be able to prove it to my covered entities.
Here is a direct quote from the Interim Final Rule (one of my favorite oxymorons).
Federal Register /Vol. 74, No. 162 /Monday, August 24, 2009 /Rules and Regulations 42749
Because a covered entity or business associate is liable for failing to provide notice of a breach when the covered entity or business associate did not know—but by exercising reasonable diligence would have known—of a breach, it is important for such entities to implement reasonable systems for discovery of breaches. We also note that these provisions attribute knowledge of a breach by a workforce member or other agent (other than the person committing the breach), such as certain business associates, to the covered entity itself. This is important, as knowledge of a breach, i.e., when a breach is treated as ‘‘discovered,’’ starts the clock in terms of the period of time a covered entity has to make the notifications required by the interim final rule. Thus, covered entities should ensure their workforce members and other agents are adequately trained and aware of the importance of timely reporting of privacy and security incidents and of the consequences of failing to do so.
Sounds to me like covered entities are indeed their brother's keepers.