|
 DeAnne Toto |
At a recent industry event with roughly 40 records and information management (RIM) professionals in attendance, Jim Booth, executive director of PRISM International, asked those assembled if they had updated their business associate agreements with their clients considered covered entities under the 2009 modifications to the Health Insurance Portability and Accountability Act (HIPAA) by virtue of the HITECH (Health Information Technology for Economic and Clinical Health) Act. To Booth’s apparent dismay, only a couple of hands went up in the audience. The Health and Human Services Department filed a proposed rule in the Federal Register July 14, 2010, titled, “Modifications to the HIPAA Privacy, Security and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act,” that reads: “The Privacy Rule protects individuals’ medical records and other individually identifiable health information created or received by or on behalf of covered entities, known as ‘protected health information.’ The Privacy Rule protects individuals’ health information by regulating the circumstances under which covered entities may use and disclose protected health information and by requiring covered entities to have safeguards in place to protect the privacy of the information. As part of these protections, covered entities are required to have contracts or other arrangements in place with business associates that perform functions for or provide services to the covered entity and that require access to protected health information to ensure that these business associates likewise protect the privacy of the health information.” In addition, the Security Rule, which applies to protected health information in electronic form, “requires covered entities to implement certain administrative, physical and technical safeguards to protect this electronic information.” The Security Rule also calls for covered entities to have contracts in place with their business associates “that provide satisfactory assurances that the business associates will appropriately safeguard the electronic protected health information they receive, create, maintain or transmit on behalf of the covered entities.” Booth and Bob Johnson, CEO of the National Association for Information Destruction (NAID), both have urged their members throughout the last year not to wait until their clients present them with revised business associate agreements. Instead, both men advocate taking charge of the process. When it comes to business associate agreements, failure to initiate this process or the act of signing your clients’ agreements without thoroughly understanding the liability they are transferring to you could be a costly mistake.
|
In Agreement
The Health and Human Services Department filed a proposed rule in the Federal Register July 14, 2010