HIPAA compliance of BAs

Q:

Business associates, Covered entities, HIPAA

How do you know if Business Associates is indeed HIPAA compliant, as the prime liability is on the medical practice (covered entity)?

ASKED: Feb 10 2012 8:25 PM GMT

A:

RATE THIS ANSWER

0
Click to Vote:

0
0

Although the new rules are not final, under the provisions of the HITECH Act business associates are directly responsible for HIPAA security and privacy compliance, rather than falling under the responsibility of the covered entity. When a covered entity enters into a business associate agreement, the entity must get assurances from the business associate regarding its ability and actual intention to safeguard protected health information in a manner that complies with HIPAA. The administrative rules adopted for the HIPAA security rule and privacy rule mandate the use of formal business associate agreements that spell out the obligations and document the business associate's attestation that it complies with the law. There is no statutory requirement dictating how covered entities reach the level of confidence they need to enter into business associate agreements. It is up to the covered entity to either take the business associate at its word, or to conduct some form of due diligence (investigate the BA's history of complaints or violations, check its reputation, do a site visit, etc.) to give the entity confidence the BA can and will do what it says it will.

Last Answered: Feb 14 2012 7:22 PM GMT by SteveGonHIT

250 pts.

View History

A:

Although the new rules are not final, under the provisions of the HITECH Act business associates are directly responsible for HIPAA security and privacy compliance, rather than falling under the responsibility of the covered entity. When a covered entity enters into a business associate agreement, the entity must get assurances from the business associate regarding its ability and actual intention to safeguard protected health information in a manner that complies with HIPAA. The administrative rules adopted for the HIPAA security rule and privacy rule mandate the use of formal business associate agreements that spell out the obligations and document the business associate's attestation that it complies with the law. There is no statutory requirement dictating how covered entities reach the level of confidence they need to enter into business associate agreements. It is up to the covered entity to either take the business associate at its word, or to conduct some form of due diligence (investigate the BA's history of complaints or violations, check its reputation, do a site visit, etc.) to give the entity confidence the BA can and will do what it says it will.

RSS - Discussions Help

Discuss This Answer:

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Beastwood 480 pts. | Feb 15 2012 1:47PM GMT

Our article on retooling HIPAA business associate agreements, as well as some insight from Health IT Exchange expert blogger Ali Pabrai offer some tips for amending contracts to help make sure that business associates are complying with new HIPAA regulations and, as a result, are not leaving covered entities in a bad position.

Ask a Question

Browse IT Answers by Topic