| Featured Article
This month's featured article is entitled: "Business Associates: That was then, this is now."
The HIPAA Security Rule is all about implementing effective risk management to adequately and effectively protect ePHI. The assessment, analysis, and management of risk provide the foundation of a business associate's Security Rule compliance efforts. A comprehensive risk management approach provides the tools necessary to develop and maintain a Business Associate's strategy; one that protects the confidentiality, integrity, and availability of ePHI.
One of our guiding principles for a Security Rule implementation is that "you can't manage what you don't measure and account for." It should come as no surprise that HHS audits, which are now mandatory (i.e. as per a yet to be defined approach and methodology circa April 2010), will be looking hard at a business associate's management and measurement processes and documentation.
All ePHI created, received, maintained, or transmitted by a business associate on behalf of a covered entity is subject to the SR. Business Associates are required to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or vulnerabilities to the security of ePHI.
| Compliance Roadmaps Now Available in the HSG Store.
|HIPAA Survival Guide Third Edition
The Third Edition of the HIPAA Survival Guide updates various substantive text of the first two editions and adds completely new material. The HITECH Acthas indeed proven to be transformational. In order to deal more effectively with its changing regulatory landscape we have decided to release an updated version available here and on Amazon's Kindle platform.
The Security Rule Under HITECH:
a Business Associate Perspective
The most important step for building a "good SR compliance story" is for the business associate to get started. The approach recommended herein is to build the story iteratively over time. Most business associates (large or small) will likely need help in creating the story. Getting started in the wrong direction initially could be far more costly in the long run, since much of the compliance budget may simply be wasted. The framework discussed throughout this document provides a good road map to follow.
| Join Our Mailing List
|Interested in staying current on HITECH / HIPAA compliance issues? Click the "join our list" link above and receive your own copy of the newsletter on the first business day of each month.
Also, if you are interested in "jumpstarting" your compliance efforts then check out our HITECH / HIPAA Risk Management Webinar Series. If you need to compare EHR software offerings click here and if you need a HITECH compliant data backup checklist click here.
| Dear Carlos,
Welcome to the May 2010 HITECH / HIPAA Compliance Newsletter. The featured article this month is entitled: "Business Associates: That was then, this is now." This article presents an overview of issues that business associates face when considering their HITECH Act compliance initiatives.
Business Associates have rightly been perplexed by the sweeping changes that the HITECH Act has mandated. Business Associates now have to build its own "good compliance story" regarding the HIPAA Security Rule. This will be every bit as daunting as the challenges faced by their respective Covered Entities, only from a different perspective.
We are now actively promoting what we believe to be is the best of breed HIPAA compliance tracking system ("CTS") on the market. We performed a significant amount of due diligence over the last couple of years and this is the one solution that is clearly ahead of the pack and economically priced to be within the reach of even the smallest covered entities and business associates. To see a demo of the product click here.
We are also pleased to announce the availability
of our Breach Notification Framework.
Section 13402 of the HITECH Act
requires that HIPAA covered entities and their business associates provide various notifications following a breach of unsecured protected health information. Our Breach Notification Framework
offers guidance for complying with HITECH's Breach Notification requirements.
Our EHR Library
remains one of our most popular downloads. Here you will find content that will help you select the right EHR package for your practice or facility.
We continue to be excited regarding the marketplace feedback of our Business Associate Agreement: a HITECH Ready Model Contract (Buy Now
The HIPAA regulations
and the HITECH Act
mandate that a CE establish a written contract with a BA in a number of instances, including whenever a BA "manages" PHI
on behalf of a CE. Our Model Contract includes provisions that meet the requirements of HIPAA/HITECH and is fully annotated with links, where appropriate, to the relevant statutory/regulatory authority that underpins each Contract clause.
Our Model Business Associate Contract, Roadmaps, and other offeringsare now available in the HSG Store
Want to stay updated throughout the month then follow Debbie on Twitter by clicking on the badge below. If you would like to read more regarding the authors' views on HIT and compliance click here and here and subscribe to their blogs.
Become a Fan
Follow us on FaceBook by becoming a fan of the guide and support the HSG by purchasing some HSG Wearables. Also, be sure to check out our HITECH Videos.
HSG is now welcoming advertisers to help support one of the most comprehensive and usable HITECH / HIPAA sites on the Internet. Our audience continues to grow as healthcare providers, both large and small, return to HSG again and again.
| Business Associates: That was then, this is now.
| Until the HITECH Act was enacted into law on February 17, 2009, as part of ARRA, a business associate's ("BA") compliance with HIPAA's Regulations was mandated only as part of the contract (see 164.504(e)(1) ) with its respective Covered Entity ("CE"). Under HITECH a BA is "directly on the hook" (i.e. via statutory authority) for complying with the following sections of the HIPAA Security Rule ("SR"):
- Administrative Safeguards (see §164.308 );
- Physical Safeguards (see §164.310 );
- Technical Safeguards (see §164.312 ); and
- Policies and Procedures and Documentation Requirements (see §164.316 ).
BA compliance with the required sections of the SR were to go into effect one year post the enactment of HITECH, however, HHS (circa February 2010) delayed the compliance effective date for BAs, apparently to provide a little more breathing room to the impacted entities (see HITECH Effective Dates One Year Out).
In addition to the sections enumerated above, HITECH Section 13401 states as follows:
The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.
In short, a BA must comply with the enumerated sections above in the same way a CE is required to comply, and must also comply with any additional HITECH security requirements imposed upon a CE (e.g. Breach Notification). Finally, any additional HITECH security requirements must be incorporated into the contract between the respective parties. There is still some debate regarding this latter requirement, but the conservative approach is to review existing BA agreements and to add a HITECH Act addendum to eliminate the guessing game.
| About Us
| We help companies safely and securely do business on the web, in accordance with applicable law. How? By helping them reduce risk. Privacy and security compliance issues are merely a subset of legal issues that online businesses face. This is equally true for eCommerce sites as it is for healthcare providers, facilities, and vendors.
We take a partnering and collaborative approach in our legal practice. If you would like to see specific topics covered in this newsletter then please let us know.