HIPAA Compliance, Part 2: monitoring your 'Business Associates'; now that you know who your "business associates" are, how do you make sure that they stay HIPAA-compliant? (Feature Article).October's article "HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, Compliance, Part 1: Who Are Your 'Business Associates?'" (NursingHomes/Long Term Care Management, p. 66) discussed how to identify business associates, as required by the Health Insurance Portability and Accountability Act's (HIPAA) privacy standards. This month's article will focus on the duties and responsibilities of organizations and their business associates. To recapitulate re·ca·pit·u·late v. re·ca·pit·u·lat·ed, re·ca·pit·u·lat·ing, re·ca·pit·u·lates v.tr. 1. To repeat in concise form. 2. , the privacy rules apply to the actions of "covered entities." In order for covered entities to operate, there are times when individually identifiable health information needs to be passed on to another entity. HIPAA defines these entities as "business associates," or entities that, on behalf of a covered entity, perform, or assist in the performance of, a function or activity involving the use or disclosure of individually identifiable health information. To provide guidance to covered entities and their business associates, the final modifications to the Privacy Rule issued on August 14, 2002, by the Department of Health and Human Services Noun 1. Department of Health and Human Services - the United States federal department that administers all federal programs dealing with health and welfare; created in 1979 Health and Human Services, HHS (HHS HHS Department of Health and Human Services. ) included an appendix with sample business associate contract provisions. In the business associate agreement, the obligations and activities of the business associate need to be set forth, and should include: * the uses and disclosures of the protected health information protected health information Health informatics Any individually identifiable health informatlon that is used or circulated by an entity that falls under the governance of HIPAA; the privacy regulations mandate safeguards for protected health information, and the that might be made by the business associate; * a requirement that the business associate employ appropriate safeguards to prevent use or disclosure of the information, other than as provided for in the agreement; * an agreement by the business associate that any agent, including any subcontractor One who takes a portion of a contract from the principal contractor or from another subcontractor. When an individual or a company is involved in a large-scale project, a contractor is often hired to see that the work is done. , to whom it provides protected health information will agree to the same restrictions and conditions imposed on the business associate by the covered entity; * a requirement that the business associate report to the covered entity any use or disclosure of the information not provided for by its agreement, once aware of such an event occurring; * an agreement that the business associate will make internal practices, books, and records relating to relating to relate prep → concernant relating to relate prep → bezüglich +gen, mit Bezug auf +acc the use and disclosure of protected health information available to the covered entity upon request; and * a requirement that upon termination of the business associate agreement, the business associate will return or destroy all protected health information received from the covered entity or, if such return or destruction is not feasible, promise to limit the further uses and disclosures of the protected health information. In addition, the covered entity and business associate must agree that the business associate cannot disclose or use the protected health information in any manner that would not be permissible per·mis·si·ble adj. Permitted; allowable: permissible tax deductions; permissible behavior in school. per·mis to the covered entity. Having entered into an appropriate agreement, the covered entity has an ongoing obligation to monitor the business associate agreement. If the covered entity becomes aware of a violation by the business associate, then the covered entity has an obligation to take reasonable steps to end the violation. If the business associate continues to violate the regulations, the covered entity must terminate the agreement, if such termination is feasible. If it is not, the covered entity must report the business associate to HHS. Discovering that a business associate disclosed or misused mis·use n. Improper, unlawful, or incorrect use; misapplication. tr.v. mis·used, mis·us·ing, mis·us·es 1. To use incorrectly. 2. To mistreat or abuse. See Synonyms at abuse. Adj. protected health information might not be easy. Should the covered entity become aware of credible evidence of a privacy violation, the covered entity has a duty to conduct a thorough investigation. The business associate is not directly accountable for any violation of the privacy rules. The only entity to which the business associate is accountable is the covered entity, which is, of course, accountable to the relevant government agencies. Because covered entities are held accountable, they must attempt to cure any privacy violations by business associates. Monitoring of business associates for compliance with HIPAA privacy rules might appear to be a complex undertaking, but it can be made easier by drafting--and carefully monitoring--comprehensive and well thought out business associate agreements. At the time of this writing, Sandra K. Battaglia, Esq., was special counsel to the Health Law Department of Cozen coz·en v. coz·ened, coz·en·ing, coz·ens v.tr. 1. To mislead by means of a petty trick or fraud; deceive. 2. To persuade or induce to do something by cajoling or wheedling. 3. O'Connor, practicing in the firm's Wilmington, Delaware Wilmington is the largest city in the state of Delaware and is located at the confluence of the Christina River and Brandywine Creek, near where the Christina flows into the Delaware River. , office. Battaglia concentrates her practice in the area of transactional issues for long-term care long-term care (LTC), n the provision of medical, social, and personal care services on a recurring or continuing basis to persons with chronic physical or mental disorders. and other healthcare providers, including regulatory and compliance matters. To comment on this article, e-mail to battaglia0103@nursinghomesmagazine.com. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion