Since the Health Information Technology for Economic and Clinical Health Act passed Feb. 17, we've heard a lot of banter about business associates.
Of course, BAs must comply directly with the HIPAA Security Rule and components of the Privacy Rule by February 18, 2010.
One HIPAA privacy and security officer told us in a focus group she's concerned because it's not clear what a covered entity's role should be as far as educating BAs. (Technically, covered entities have no obligation to train BAs).
That same HIPAA officer is working on a final draft of a BA contract, and her facility is unsure whether it will have one standard contract or individual language for each BA.
It makes sense for a covered entity to develop a template, and then only change some of the details; in particular, the description of what uses and disclosures of PHI the BA is permitted, according to Kate Borten, CISSP, CISM, president of The Marblehead Group and a HIPAA privacy and security expert.
John C. Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, sees some BAs abandoning healthcare because they fear they can't fully comply with HIPAA.
And many experts simply feel BAs are not ready to comply.
Perhaps the most telling news is that some covered entities don't know all of their BAs, and they're trying to identify them.
All this with a crucial eight-month road ahead for covered entities and BAs as they get ready to comply.
In the next eight months, HHS will define the meaning of unsecure PHI, which goes hand-in-hand with new breach notification requirements. CMS will also publish its definition of "meaningful use" regarding EHRs.
And then the big date–February 18, 2010–which is the compliance date for BAs under the Security Rule and HITECH.
If you don't have a grip on your BAs by then, you'll not only be behind the 8-ball but the entire rack on the pool table.
Borten says there is "absolutely no excuse" to not know all your BAs.
She reminds covered entities they must not only know their BAs, but also must already be entered into contracts with them per the HIPAA Privacy and Security rules.
"You absolutely have to know who they are," Borten says. "And you have to make sure you have legal contracts, and that they have all the language required in the Privacy and Security rules. This should all be in place now. Imagine an auditor walking through the door and asking for this, and you can't produce it? You're in big trouble right off the bat."
Potential BAs are organizations that provide data transmission of PHI, such as Regional Health Information Organizations.
The act also clarifies that personal health record vendors who contract with covered entities to provide a PHR to their patients or health plan members are another example of BAs.
Some other examples of BAs are:
- Transcriptionists
- Contract coders
- Contracted laboratory and radiology departments
- Third-party billers
- Collection agencies
- Software vendors who have access to PHI
- Outsourced IT support
- Interpreters
- Hospital couriers
- Pharmacies with hospital contracts
- Security shredding companies
- Waste management companies
- Off-site storage facilities
- Auditors who have access to PHI
- Marketing contractors who have access to PHI
- Consultants who have access to PHI