HIPAA HITECH Compliance and Blind Men
There is an old folk story about seven blind men describing an elephant. The first has the elephant's trunk in his hands and says an elephant is flexible, strong, and about 6 inches in diameter, the next blind man has the elephant's tail and he says an elephant is stringy, leathery and about 2 inches in diameter, and so forth with the rest of the blind men.
I have been spending a lot of time on the Internet reading different descriptions of HIPAA and the HITECH Act and like the blind men the viewpoint depends on their touchpoint.
One group says that it is all about the business associate agreement and each BA should amend their own agreement, while another says oh no the covered entity should write a new BA agreement for all their BA. A third group says that the agreement is inherent in the HITECH Act so nothing needs to be written. One group says the CE needs to establish standards for their BA and enforce them, while another voice says that will make you more respinsible for them. IT folks talk about encryption. Practice management software companies talk about "meaningful use". One whole article was about "whistle blowers", but perhaps the most dangerous advice I read was "don't lose sleep over the new HITECH Act it is just like HIPAA and how hard was that?"
Finally HHS has published yet another "Interim Final Rule" which triggers a new round of interpretation. No wonder covered entities and especially business associates are confused.
A few things we know for sure from the HITECH Act: Business associates must meet the same standards as covered entities, breach notification is a serious new responsibility shared by covered entities and business associates.
So my advice is take care of your own house first, by making sure that you meet the standards. Then look to your BA and CE partners to figure out how you can work together to reduce your overall risk.