Health IT and Electronic Health
Activate your FREE membership today |
Log-in
HIPAA compliance of BAs
How do you know if Business Associates is indeed HIPAA compliant, as the prime liability is on the medical practice (covered entity)?
Software/Hardware used:
Software/Hardware used:
ASKED:
February 10, 2012 8:25 PM
UPDATED:
February 15, 2012 1:47 pm
Answer Wiki:
Although the new rules are not final, under the provisions of the HITECH Act business associates are directly responsible for HIPAA security and privacy compliance, rather than falling under the responsibility of the covered entity. When a covered entity enters into a business associate agreement, the entity must get assurances from the business associate regarding its ability and actual intention to safeguard protected health information in a manner that complies with HIPAA. The administrative rules adopted for the HIPAA security rule and privacy rule mandate the use of formal business associate agreements that spell out the obligations and document the business associate's attestation that it complies with the law. There is no statutory requirement dictating how covered entities reach the level of confidence they need to enter into business associate agreements. It is up to the covered entity to either take the business associate at its word, or to conduct some form of due diligence (investigate the BA's history of complaints or violations, check its reputation, do a site visit, etc.) to give the entity confidence the BA can and will do what it says it will.
To see all answers submitted to the Answer Wiki: View Answer History.
Our article on retooling HIPAA business associate agreements, as well as some insight from Health IT Exchange expert blogger Ali Pabrai offer some tips for amending contracts to help make sure that business associates are complying with new HIPAA regulations and, as a result, are not leaving covered entities in a bad position.