• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

Information Access Management: Isolating Healthcare Clearinghouse Functions-What to Do and How to Do It

February 25, 2009 HIPAA Law No Comments

In our series on the HIPAA Administrative Simplification Security Rule, this is the first implementation specification for the Administrative Safeguard Standard (Information Access Management). This implementation specification is required.

What to Do

If a healthcare clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. Remember, a clearinghouse is defined as a covered entity, but also can serve in the role of a business associate to other covered entities, namely a health plan or healthcare provider.

How to Do It

This implementation specification is required, but is not likely to apply directly to health plans or to healthcare providers. A health plan and healthcare provider, as covered entities, must document in writing that they are not clearinghouses, so that this implementation specification does not apply.

A health plan or healthcare provider covered entity must be aware of this implementation specification, which may impact the covered entity indirectly if either uses a clearinghouse, as a business associate, that is part of a larger organization. In that case, if the clearinghouse materially breaches its obligations to the covered entity under the business associate agreement by allowing an unauthorized person in the larger organization to access the covered entity’s protected health information, and the covered entity allows the breach to continue without terminating the contract, if feasible, or reporting the breach to the U.S. Department of Health and Human Services, if termination is not feasible, then the covered entity would be in violation of HIPAA Administrative Simplification Privacy or Security Rules, or both. Because clearinghouses also are covered entities, it is likely that clearinghouses would have policies and procedures in place to protect against the unauthorized disclosures covered by this implementation specification.

Further, as we noted in a posting last week, with enactment of the American Recovery and Reinvestment Act of 2009 on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17 , 2010. As a result, the clearinghouse in its business associate role, reflected in a new business associate agreement with a health plan or healthcare provider covered entity, would have direct responsibility for a breach and reporting the breach to affected parties. Until then, as a covered entity health plan or healthcare provider, make sure in your business associate agreement that a clearinghouse that is part of a larger organization safeguards your protected health information from unauthorized persons in the organization who are not part of the clearinghouse operations.

Tags: Administrative SafeguardAmerican Recovery and Reinvestment Actbreachbusiness associatebusiness associate agreementclearinghousecovered entityelectronic protected health informationhealth planhealthcare providerHIPAA Administrative Simplification Privacy RuleHIPAA Administrative Simplification Security Ruleimplementation specificationInformation Access ManagementIsolating Healthcare Clearinghouse Functionsprotected health informationrequiredUS Department of Health and Human Servicesviolation
No Comments
Share
0

You also might be interested in

Facility Access Controls: Facility Security Plan-What to Do and How to Do It

Apr 27, 2009

In our series on the HIPAA Administrative Simplification Security Rule,[...]

enforcement can lead to large fines

The Reality of HIPAA Violations and Enforcement

Oct 18, 2013

Who is ultimately responsible for enforcement of HIPAA and what[...]

CMS Issues Final Administrative Simplification Final Rules Regarding Identifiers and ICD-10 Code Set Compliance Delay

Aug 24, 2012

August 24, 2012.  Today, the Office of Management and Budget[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next