Business Associate To-Do List

What are Business Associates Required to Do to Meet HIPAA Requirements?

With passage of the American Recovery and Reinvestment Act (ARRA), privacy and security compliance increased significantly with business associates immediately required to comply directly with many of HIPAA’s rules. It also dramatically expanded other remedial actions (such as increasing federal government audits; granting attorneys fees in some HIPAA lawsuits; and allowing a method for individuals to recover penalties under HIPAA). Business associates also are subject to civil and criminal penalties , including a provision that allows individuals to receive financial compensation for the violation.

If you are a business associate, your “To-Do” list looks similar to the list the covered entities complied with in 2004. These tasks include: appointing a Security Official; developing written policies and procedures, including physical safeguards, (such as locking computers that contain EPHI), and technical safeguards (such as encrypting emails); and training workforce on how to protect electronic protected health information (“EPHI”). Also, effective immediately:

» You are required to notify each individual affected by a security breach by mail, or if specified as preference, by email.
» If you don’t have contact information for that individual, you may be required to post notice of the breach on your website, in newspapers, or other broadcast media.
» For breaches involving more than 500 residents in one area, you must notify a “prominent media outlet.”
» You also must contact the Department of Health and Human Services. DHHS is establishing a website listing these breaches. There is an exception for certain unintentional breaches. Consult a health law attorney if you have any questions or concerns about building your policies and procedures, or tasks assigned to the Security Official.

Penalties for ePHI Violations

Carolyn Hartley, Healthcare Authority & EHR Consultant