Business Associates Must Be HIPAA Compliant

Saturday, October 09, 2010

Jack Anderson


In response to a question from a potential client I asked Rebecca Herold, The Privacy Professor to comment on when a BA must be compliant. I will let her answer speak for itself.
1. The HITECH Act is effective NOW with regard to all the requirements that went into law February 2009.

ALL BAs MUST be in compliance with those many different requirements, including, but not limited to, breach response activities. Now.

If they are not in compliance now, then they are currently breaking the law and are at great risk.

2. ALL BAs MUST currently be in compliance with all their BA Agreement requirements. They should look at them now.

Most BA Agreements require policies, procedures and other safeguards that are explicitly required, most of them I’ve seen duplicate the requirements of CEs under HIPAA.

They face sanctions, fines, and loss of their CE clients if they are not. Not to mention civil actions. Now.

If they are not in compliance with all the BA Agreement specifications now, then they are breaking their legal obligations and are at great risk.

3. State Attorneys General offices are holding BAs and subcontractors accountable for following the HIPAA requirements NOW.

If they are not in compliance now, then they risk having actions brought by the state AGs in any of the states where they do business.

The NPRM expands HIPAA to both BAs and their subcontractors, and the comments closed on September 15.

The NPRM changes could go into effect any day with an announcement from the HHS.
This should not be about just the NPRM. BAs need to be in compliance now as listed in items 1 – 3 above.

Cross-posted from Compliance Helper

Possibly Related Articles:
Healthcare Provider
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.