HITECH Business Associate Rule Tool Section 5: Compliance as a Business Associate

Business Associates are directly responsible under the regulations for:

  1. Implementing Business Associate Contracts with any downstream Business Associates;
  2. Compliance with the Security Rule;
  3. Using and disclosing PHI only as permitted by their Business Associate Contract;
  4. Compliance with the Minimum Necessary rule;
  5. Notifying their upstream Business Associate or Covered Entity (as applicable) in case of a security breach;
  6. Providing access to a copy of the electronic PHI in their possession to either the Covered Entity, the individual, or the individual’s designee, as specified in their Business Associate Contract;
  7. Providing access to their records, including PHI, to DHHS for purposes of investigation of the Business Associate’s compliance with its regulatory obligations; and
  8. Providing the information needed for an accounting of disclosures.

Compliance with these regulatory requirements will be mandatory as of September 23, 2013.

Business Associates will be responsible under their Business Associate Contracts for:

  1. Implementing Business Associate Contracts with any downstream Business Associates;
  2. Compliance with the Security Rule;
  3. Reporting security incidents and breaches to their upstream Business Associate or Covered Entity, as applicable;
  4. Using and disclosing PHI only as permitted by their Business Associate Contract;
  5. Providing access to a copy of the PHI in their possession to either the Covered Entity, the individual, or the individual’s designee, as provided in the Business Associate Contract;
  6. Amending the PHI in their possession in accordance with the Business Associate Contract;
  7. Providing access to their records, including PHI, to DHHS for purposes of investigation of the upstream Business Associate’s or Covered Entity’s compliance with its regulatory obligations (as applicable; and
  8. Providing the information needed for an accounting of disclosures.

These Business Associate Contracts overlap and are in many cases redundant to Business Associate direct regulatory obligations, but not entirely. Business Associate Contract provisions should not be inconsistent with the regulatory provisions they overlap.

First Tier Business Associates should already be subject to Business Associate Contracts which meet pre-HITECH HIPAA requirements. Such Business Associate Contracts must be amended to be HITECH-compliant as provided in Determining the HITECH-Compliant Business Associate Contract Date.

Lower Tier Business Associates will be required to be subject to HITECH-Compliant Business Associate Contracts as of September 13, 2013..

© 2013 John R. Christiansen

Categories

Tags

bill gates cert christiansen it blog cobiT coco contract law do it yourself ehr issues ehrs electronic health records electronic health recores electronic medical records eula hackers healthcare system healthy information networks hipaa hitech information security information security duty information security theory infosec integrated information security standard of care integreated information security it law it risk it security legal counsel medical records nasa dod hacker network security newbie lawyers opering system risk acceptance risk assessment risk management risk theory secuirty rule security incident response poilicy security legislation self help strategic information security ufo hacking vista windows vista

Worthwhile Links