Business Associate Agreements and Assurances
Now that HIPAA compliance regulations have gone into effect, if you haven't already done so, it is critical to update your business associate agreements. Â Business contracts must document the necessary assurances provided by all Business that they will comply with the expanded obligations listed in the contract as required by the more stringent guidelines of the HITECH Omnibus rule. Â Definition of Business
A business associate is an individual or entity that is not employed directly by the covered entity, but "creates, receives, maintains, or transmits," Personal Health Information (PHI) on their behalf. Â This includes facilities that store or provide upkeep of PHI even if they don't actually view this data. This stipulation greatly expands the number of entities that are now considered Business. Additionally,contracts regarding responsibility for maintaining HIPAA compliance has been expanded to all subcontractors.New Requirements for Business Agreements Based on the Omnibus final rule, the responsibilities of Business, which must be specified in all Business Contracts, have been expanded. Â New obligations for Business include:Â
Adherence to the HPAA Security rule regarding electronic PHI
Reporting any breaches of PHI to the Covered Entity
Compliance with all requirements of the Privacy rule that apply to the Covered EntityÂ
Ensuring that any subcontractors who access PHI on behalf of the Business Associate are compliant with the same requirements that apply to the Business
Should Covered Entities become aware of instances when Business Associates violate one or more requirements listed in the business contract, they are not required to report cases if terminating the Business relationship is not a viable option. Â This leniency has been added due to the fact that Business are now directly liable for adherence to certain HIPAA requirements and are personally responsible for reporting breaches or impermissible disclosures to the HHS Secretary.New Liabilities for Business under the Security Rule The new regulations included in the HITECH Omnibus final rule also increase the liability of Business Associates such that they are directly responsible for maintaining the physical, administrative and technical requirements of the HIPAA security rule. Â New Liabilities for Business under the Privacy Rule Business Associates and Subcontractors are likewise held accountable for a number of aspects of the HIPAA Privacy Rule. Â Business Associates are considered liable for:
Uses or Disclosures of PHI not in accord with the Business Contract
Refusal to release or provide PHI for the purposes of an investigation or in order to assess the Business HIPAA compliance
Refusal to release PHI to the covered entity, the individual to which the information pertains, or the individual's designee, when an electronic version of the relevant PHI is requested
Refusal to make reasonable attempts to limit PHI disclosures, uses, and requests to what is minimally necessary
Failure to form a Business Associate relationship with subcontractors who access PHI on their behalf
Even though covered entities may use PHI as permitted by the HIPAA Privacy Rule, Business Associates and Subcontractors can only use or disclose PHI under conditions defined in their contract or as required by law. Â Â Any use of disclosure not listed in the business agreement is not permitted even in cases which would be allowed for a covered entity. Â
A business associate is an individual or entity that is not employed directly by the covered entity, but "creates, receives, maintains, or transmits," Personal Health Information (PHI) on their behalf. Â This includes facilities that store or provide upkeep of PHI even if they don't actually view this data. This stipulation greatly expands the number of entities that are now considered Business. Additionally,contracts regarding responsibility for maintaining HIPAA compliance has been expanded to all subcontractors.New Requirements for Business Agreements Based on the Omnibus final rule, the responsibilities of Business, which must be specified in all Business Contracts, have been expanded. Â New obligations for Business include:Â
Adherence to the HPAA Security rule regarding electronic PHI
Reporting any breaches of PHI to the Covered Entity
Compliance with all requirements of the Privacy rule that apply to the Covered EntityÂ
Ensuring that any subcontractors who access PHI on behalf of the Business Associate are compliant with the same requirements that apply to the Business
Should Covered Entities become aware of instances when Business Associates violate one or more requirements listed in the business contract, they are not required to report cases if terminating the Business relationship is not a viable option. Â This leniency has been added due to the fact that Business are now directly liable for adherence to certain HIPAA requirements and are personally responsible for reporting breaches or impermissible disclosures to the HHS Secretary.New Liabilities for Business under the Security Rule The new regulations included in the HITECH Omnibus final rule also increase the liability of Business Associates such that they are directly responsible for maintaining the physical, administrative and technical requirements of the HIPAA security rule. Â New Liabilities for Business under the Privacy Rule Business Associates and Subcontractors are likewise held accountable for a number of aspects of the HIPAA Privacy Rule. Â Business Associates are considered liable for:
Uses or Disclosures of PHI not in accord with the Business Contract
Refusal to release or provide PHI for the purposes of an investigation or in order to assess the Business HIPAA compliance
Refusal to release PHI to the covered entity, the individual to which the information pertains, or the individual's designee, when an electronic version of the relevant PHI is requested
Refusal to make reasonable attempts to limit PHI disclosures, uses, and requests to what is minimally necessary
Failure to form a Business Associate relationship with subcontractors who access PHI on their behalf
Even though covered entities may use PHI as permitted by the HIPAA Privacy Rule, Business Associates and Subcontractors can only use or disclose PHI under conditions defined in their contract or as required by law. Â Â Any use of disclosure not listed in the business agreement is not permitted even in cases which would be allowed for a covered entity. Â
Source...