Posted by: Pabrai
HIPAA; HITECH; Business Associates; Patient Safety Organizations (PSO);
The recent modifications to the HITECH Act include updates in the area of Business Associates. As a result of the HITECH modifications, Business Associates, also include:
· Patient Safety Organizations (PSO)
· Health Information Organizations (HIO), E–Prescribing Gateways, and Other Persons That Facilitate Data Transmission
The HITECH Act updates state that Patient Safety Organizations (PSOs) must be treated as business associates when applying the HIPAA Privacy Rule. Patient safety activities have been added to the list of functions and activities a person may undertake on behalf of a covered entity that give rise to a business associate relationship.
The modification to the HITECH Act further provides that an organization, such as a Health Information Exchange Organization, E-prescribing Gateway, or Regional Health Information Organization, that provides data transmission of PHI to a covered entity (or its business associate) and that requires access on a routine basis to such PHI must be treated as a business associate. Also, a vendor that contracts with a covered entity to allow the covered entity to offer a PHR to patients as part of the covered entity’s Electronic Health Record (EHR) shall be treated as a business associate. The HITECH Act requires that such organizations and vendors enter into a written business associate contract or other arrangement with the covered entity in accordance with the HIPAA Rules.
Subcontractors of a covered entity – i.e. those persons that perform functions for or provide services to a business associate, other than in the capacity as a member of the business associate’s workforce, are also business associates to the extent that they require access to PHI. A subcontractor is a person who acts on behalf of a business associate, other than in the capacity of a member of the workforce of such business associate.
So take a closer look at who are your business associates? Update your Business Associate Agreements (BAA) to ensure it meets the requirements of the HIPAA Privacy, Security Rules and the HITECH Act – and don’t forget to review State regulatory requirements as well as that may impact some areas in the Agreement – such as breach notification period.