Intelligence Unit Special Reports Special Events Subscribe Sponsored Departments Follow Us

Twitter Facebook LinkedIn RSS

Four HIPAA Compliance Tips for Business Associates

Dom Nicastro, for HealthLeaders Media, September 9, 2009

The HITECH Act was a long-time coming, especially because it holds business associates of covered entities accountable for compliance with the HIPAA Security Rule and the use of disclosure provisions of the privacy rule.

It’s crucial for two particular reasons, according to Daniel Nutkis, CEO of The Health Information Trust Alliance (HITRUST):

  • Security is only as strong as the weakest link, meaning while a covered entity may be secure, their business associate may not, effectively cancelling out the controls in place and reintroducing the risk of a breach of personal health information (PHI).
  • The compliance requirements will force both covered entities and business associates to evaluate the scope of connectivity and information shared (i.e., can these services be provided without sharing PHI). Both of these items will tighten the scope and security around PHI, reducing the risk of disclosure and breaches of patient privacy.

HealthLeaders Media recently caught up with Nutkis for a Q&A about HIPAA privacy and security. The following are some more highlights. The full Q&A can be found on the HCPro, Inc. HIPAA Update blog.

HealthLeaders Media: Business associates must now comply with HIPAA Security Rule and provisions about disclosures in the privacy rule per the HITECH Act. How do you see the industry—covered entities and business associates—handling this?

Nutkis: Internally, both covered entities and business associates should be defining or updating their programs for business partner compliance management. At a high level, HITRUST recommends organizations take the following steps:

  1. Perform gap analysis of the current compliance process. The analysis should included internal policies, procedures, and contracts against a common checklist of requirements that include HIPAA, HITECH, and other applicable regulations.
  2. Develop or revise a business partner compliance program. The gap analysis will provide management with a clear understanding of what is needed for the purposes of allocating dollars, resources, and time, and how to prioritize these activities.
  3. Coordinate compliance with business partners. Once a program is in place or has been appropriately revised, it is time to start coordinating compliance with your partners, including customers, service providers, and peers. The value of compliance is limited if costs are high and timeframes are long; coordinating with others on a common approach and set of requirements will help contain these issues and reduce exposure.
  4. Implement and maintain compliance. Revise contracts with business partners as they expire, include addendums, and ensure new contracts are up-to-par with the new program. Ensure compliance is maintained through notification of any violations. Organizations can minimize issues by maintaining a list of security contacts with each partner.

Comments are moderated. Please be patient.

1 comments on "Four HIPAA Compliance Tips for Business Associates"

Looking at Business Compliance (2/4/2014 at 10:50 AM)
Great post! Been looking into this a lot with my business as of late. Thanks for all the info!