The new amendment to HIPAA Privacy and Security rule recently passed by Health Information Technology for Economic and Clinical Health Act (HITECH Act) and which came into effect from February 17, 2010 makes it mandatory for all the Covered entities to revise their Business Associate Contract.
The covered entity should enter into a written contract with its’ business associate to ensure complete HIPAA compliance. The Covered Entity should:
- Ensure that Business Associates complies directly with Security rule by implementing administrative, technical and physical safeguards in transaction of electronic Patient health information. This will prevent any unauthorized access during storage, exchange and processing of patient data.
- Make it mandatory for Business Associates to follow the terms and conditions as specified in the agreement or as required by law. This includes providing access, maintaining proper record of disclosures, making disclosures as per agreement, provide timely access of opening books, records and transactions to HHS for regulatory scrutiny, and returning or destroying PHI, if feasible, upon contract termination.
- Deem a Business Associate to violate HIPAA, if there is deviation from mutually accepted practices. The contract can be terminated and HHS notified about the willful violation. In case of unintentional lapse, the Covered Entity should bring it to notice of Business Associate and ensure that mistake is rectified.
Notify Business Associates regarding new requirements.
The Business Associates are now liable and accountable for any violation of HIPAA Privacy and Security rule and hence it is mandatory to revise and implement procedures to ensure complete HIPAA compliance in their business transaction with the Covered Entity. The Business Associate should:
- Adopt and implement reasonable and appropriate HIPAA Security written policies and procedures. This includes implementation of physical and technical safeguards.
- Adopt and implement policies and procedures for complying with the Business Associate provisions of the HIPAA Privacy and security rule.
- Hire a HIPAA Security Officer who reviews and asses the HIPAA compliance of the organization on a routine basis. This ensures removal of any existent loopholes and enables satisfactory compliance of the Business Associate agreement with Covered entity.
- Develop and implement a complaint system so that the clients are served properly.
- Develop a sanctions policy.
- Develop and establish a vigilant and reliable system, which identifies protected health information breach and notifies the covered entities.
- Mitigate any harm from the inappropriate use or disclosure of PHI.
- Educate and train employees and staff on the new HIPAA policies and procedures to prevent fine and conviction due to non compliance, arising out of lack of knowledge or awareness in the employees.
The purpose of the written Business Associate agreement is to ensure flow of confidential patient health information in a secure manner. A safe PHI transaction ensures that business relations flourish between both the health provider entities, without compromising the privacy and security of patient health data.
A Business Associate agreement is ensures privacy of the patient health information.
Read more on HIPAA compliance at, www.empowerbpo.com