Managed Care Information Center
Site Navigation:
E-mail a Friend
FREE E-Mail Newsletters
Subscribe to the leading management newsletters
Health Resources Online
* * *
Health Resources Publishing
* * *
Wellness Junction
* * *
Healthcare Intelligence Network
Contact MCIC

Managed Care Information Center
1913 Atlantic Ave., Suite 200
Manasquan, NJ  08736
(732) 292-1100
fax: (732) 292-1111

Home / News & IndustryManaged Care Insight and Analysis
Updated: March 16, 2010
Business Associates Should Be In Compliance With HIPAA

The economic stimulus package exceeded its monetary value with compliance amendments to the Health Insurance Portability and Accountability Act (HIPAA), naming the business associate (BA) keeper of protected health information (PHI).

The package included the adoption of the Health Information Technology for Economic and Clinical Health (HITECH) Act, designed to effect all levels of HIT legislation. There are new provisions BAs must be in compliance with.

"I used to think I was a reformed or reforming HIPAA-holic ... but with the stimulus bill I think ‘so much for reformation,’ but I also think practically that these changes were really essentially a political compromise, a gateway to make sure that the incentive – the health information technology incentive – is ultimately passed," said Stephen Bernstein, partner at McDermott Will and Emery, during the Webinar "New Tougher HIPAA Rules: How to Meet Compliance Regulations Under the Economic Stimulus Package," hosted by Managed Care Information Center.

Under the original HIPAA guidelines BAs were only obligated to abide by stipulations made through individual contracts. The revision to the compliance regulation gives responsibility to the BA for insuring sensitive information stays confidential.

The updated compliance regulations create a role reversal where the BA must make sure the covered entity is in compliance with privacy regulations. If the covered entity is not within compliance the BA could be punished, Bernstein said.

"It is a pretty odd result, but I think what the government is doing once again is they are making private parties play HIPAA-police to chase down information and sort of help with compliant," Bernstein said.

"It is not an uncommon approach, but it makes business associates a little bit weary, because remember this would essentially mean your business associate is ratting on their customer, which could put business associates in a very odd spot," he continued.

Bernstein suggested covered entities should add in their contracts: an acknowledgment by the BA that they will be responsible for security breeches, on their end as well as on the covered entities end; make sure the BA is going to report security breeches to you "although you should already have something similar to that in the BA agreement, because security rules made BAs report security incidents to their covered entity," Bernstein said.

BAs should do a full security assessment and build privacy and security policies to insure their compliance.

Address: Health Resources Publishing, 1913 Atlantic Ave., Suite 200, Manasquan, NJ 08736; (732) 292-1100,

  This article was taken from:
Healthcare Reimbursement Monitor

Free Trial Subscription

Become a Subscriber

    Back to This Week's List of Articles

"Managed Care Weekly Watch"
Subscribe Here



Top | Home

Resource of the Month | Database of MCOs | Publications | News & Industry | Surveys & Research | Free Products | Advertising Arena | Inside MCIC | Managed Care Archives | | For Subscribers | Customer Service

©2010 The Managed Care Information Center