AHA Solutions
Resources for Hospitals
Forward this Email

HIPAA Tip
06/24/09

The HIPAA Tip is emailed the second, third and fourth Wednesday of every month.  In it you will find valuable information to ensure you are current on the latest news, trends and regulatory issues surrounding HIPAA. Subscribers total over 2,500.

If you're looking for assistance in HIPAA compliance training solutions, please contact:

Ali Pabrai, Security+, CISSP, CHP, CSCS
ecfirst.com/HIPAA Academy, Chief Executive
www.HIPAAAcademy.Net

HIPAA Academy's HIPAA Compliance Training Solutions have the exclusive endorsement
of the American Hospital Association (AHA).


To learn more about AHA-Endorsed products and services and the AHA Solutions Signature Learning Series, please call
(800) 242-4677 or visit www.aha-solutions.org

June 24, 2009

HITECH & BUSINESS ASSOCIATES
Several provisions of the HIPAA Security Rule now apply to business associates of covered entities in the same manner that those provisions apply to covered entities. The stimulus law applies four sections of the HIPAA Security Rule to business associates. These include:
-45 CFR § 164.308
-45 CFR § 164.310
-45 CFR § 164.312
-45 CFR § 164.316

As a result of the new requirements, business associates will need to:
-Address Administrative Safeguards to protect EPHI (45 CFR § 164.308)
-Comply with Physical Safeguards to limit physical access to EPHI (45 CFR § 164.310)
-Implement requirements of Technical Safeguards for systems that control access to EPHI (45 CFR § 164.312)
-Comply with reasonable and appropriate policies and procedures to address Standards, Implementation Specifications or other requirements of the HIPAA Security Rule and maintain proper documentation (45 CFR § 164.316)

 

Business associates are also now directly impacted by the HIPAA Privacy Rule relating to contractual arrangements between covered entities and business associates. Business associates who obtain or create PHI pursuit to a contract (or other written agreement), now have a legal duty to ensure that they are only using or disclosing PHI in accordance with 45 CFR § 164.504(e). This section establishes the necessary terms that must be in a contract between a covered entity and a business associate to ensure that information is only used for authorized purposes. The provision states that contracts between business associates and covered entities must establish the permitted and required uses and disclosures of PHI. Further, it requires that business associates will not use or further disclose the information other than as permitted or required by the contract, or as required by law.

The stimulus law makes it clear that a business associate cannot use or disclose PHI in violation of these requirements – which should be outlined in every agreement with the covered entity.

Also, with the stimulus bill, business associates are now in violation of HIPAA if they know of a pattern of activity or practice of the covered entity that constitutes a violation of the covered entity’s obligation under the contract (or other arrangement). Now if business associates know that a covered entity is violating its duty under the contract, they too have an obligation under 45 CFR § 164.504(e)(1)(ii) to take reasonable steps to try to stop the violation.

Business associates that violate the HIPAA security standards or the required terms of their business associate contracts now will be subject to the same civil and criminal penalties as covered entities.

So is your organization in compliance with HIPAA and the HITECH Act? Contact Steve.Ferrick@ecfirst.com or call 1.877.899.9974 x14 to discuss compliance strategy for addressing HITECH, HIPAA and state mandates. Ask Steve for the executive brief PDF on Increased Mandates for Privacy & Security of Health Information, New Penalties Established to learn more about the HITECH Act requirements and recent fines from the FTC and HHS.

 

CERTIFIED HIPAA PROFESSIONAL (CHP) PROGRAM IN LAS VEGAS, PHOENIX AND OTHER CITIES

Learn about key aspects of the new HITECH Act (economic stimulus bill recently enacted) and the HIPAA regulation including Transactions and Code Sets, Identifiers, Privacy and Security. This is an exceptional program delivered by Ms. Lorna Waggoner, a HIPAA expert. Take the certification exam at the end of the second day. To register, please visit www.HIPAAAcademy.Net or call 1.877.899.9974 x17.

 

CERTIFIED SECURITY COMPLIANCE SPECIALIST (CSCS) PROGRAM: LAS VEGAS, PHOENIX, and OTHER CITIES

To attend the only certification program in the industry that addresses PCI DSS, ISO 27001/27002, HIPAA, FISMA, and other information security regulations, please visit www.ecfirst.com, and click on the CSCS Program. The CSCS Program is presented by compliance and cyber security expert, Ali Pabrai. The CSCS program is offered in several cities across the USA – check the schedule on-line at www.ecfirst.com or bring the program on-site and have it tailored for your environment.