Are Your Business Associates Accountable for HIPAA Compliance?
The Department of Health and Human Services' Office for Civil Rights intends to strengthen HIPAA compliance requirements under the HITECH Act. The proposed changes would make BAs directly liable for HIPAA breaches, and subcontractors of BAs would also have to be compliant with HITECH and HIPAA. And that means they would have to comply with the HIPAA Security Rule and the use and disclosures provisions of the HIPAA Privacy Rule.
But is HITECH alone enough to ensure BAs and their subcontractors comply?
Not really, says Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, of Des Moines, IA.
A contract satisfies HITECH requirements. In it, make sure you include language that requires physical safeguards and asking BAs to document and prove their security measures and plans for incident response.
Case in point: The theft of an electronic medical records file in Manhattan may affect as many as 1.7 million patients. It is the largest breach since OCR began posting breaches on its website in February 2010. On February 9, The New York City Health and Hospitals Corporation (HHC) reported on its website that it began to notify 1.7 million patients, staff, contractors, vendors, and others who were treated by and/or provided services during the past 20 years.
- As Medicare Advantage Cuts Loom, Disagreement Over Program's Stability
- Surgical Checklists Unused in 10% of Hospitals, CMS Data Shows
- Doctors Feel Pressure to Accept Risk-based Reimbursement
- A Fresh Look at End-of-Life Care
- Heart Attack Patient Costs Skyrocket Beyond 30 Days
- 3 in 4 Patients Want E-mail Consultations
- 3 Insider Tips on Cutting Costs without Strangling Growth
- ACGME Chief Sees 'Huge' Risk of Error in Proposed Assistant Physician Licensure
- 4 Tectonic Shifts Shaking Up Healthcare
- CVS Ramps Up Retail Clinics with Provider Affiliations