|Business Associates Should Be In Compliance With HIPAA
The economic stimulus package exceeded its monetary
value with compliance amendments to the Health Insurance Portability
and Accountability Act (HIPAA), naming the business associate (BA)
keeper of protected health information (PHI).
The package included the adoption of the Health
Information Technology for Economic and Clinical Health (HITECH) Act,
designed to effect all levels of HIT legislation. There are new
provisions BAs must be in compliance with.
"I used to think I was a reformed or reforming
HIPAA-holic ... but with the stimulus bill I think ‘so much for
reformation,’ but I also think practically that these changes
were really essentially a political compromise, a gateway to make sure
that the incentive – the health information technology incentive
– is ultimately passed," said Stephen Bernstein, partner at
McDermott Will and Emery, during the Webinar "New Tougher HIPAA Rules:
How to Meet Compliance Regulations Under the Economic Stimulus
Package," hosted by Managed Care Information Center.
Under the original HIPAA guidelines BAs were only
obligated to abide by stipulations made through individual contracts.
The revision to the compliance regulation gives responsibility to the
BA for insuring sensitive information stays confidential.
The updated compliance regulations create a role
reversal where the BA must make sure the covered entity is in
compliance with privacy regulations. If the covered entity is not
within compliance the BA could be punished, Bernstein said.
"It is a pretty odd result, but I think what the
government is doing once again is they are making private parties play
HIPAA-police to chase down information and sort of help with
compliant," Bernstein said.
"It is not an uncommon approach, but it makes business
associates a little bit weary, because remember this would essentially
mean your business associate is ratting on their customer, which could
put business associates in a very odd spot," he continued.
Bernstein suggested covered entities should add in their
contracts: an acknowledgment by the BA that they will be responsible
for security breeches, on their end as well as on the covered entities
end; make sure the BA is going to report security breeches to you
"although you should already have something similar to that in the BA
agreement, because security rules made BAs report security incidents to
their covered entity," Bernstein said.
BAs should do a full security assessment and build privacy and security policies to insure their compliance.
Address: Health Resources Publishing, 1913 Atlantic Ave., Suite 200, Manasquan, NJ 08736; (732) 292-1100, www.healthresourcesonline.com.