|June 10, 2019
New HIPAA Guidelines for Business Associates
[from Maine Hospital Association Friday Report]
The US Department of Health & Human Services Office of Civil Rights (OCR) has issued a fact sheet on the Health Insurance Portability and Accountability Act (HIPAA) requirements for business associates under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH).
OCR’s rule relating to the HITECH act identifies provisions of the HIPAA rules that apply directly to business associates and for which business associates are directly liable.
As set forth in the HITECH Act and OCR’s 2013 final rule, OCR has authority to take enforcement action against business associates only for those requirements and prohibitions of the HIPAA rules as set forth below.
Business associates are directly liable for HIPAA violations as follows:
1. Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance;
2. Taking any retaliatory action against any individual for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules;
3. Failure to comply with the requirements of the Security Rule;
4. Failure to provide breach notification to a covered entity or another business associate;
5. Impermissible uses and disclosures of PHI;
6. Failure to disclose a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively;
7. Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request;
8. Failure, in certain circumstances, to provide an accounting of disclosures;
9. Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements; and
10. Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.
More details can be found at the link above.
Legal Brief is a regularly recurring section of the MHA Friday Report that highlights new statutes, rules, judicial opinions or other legal news of interest to hospitals.
MHA Contact: Sandra Parker
< Previous Article | Next Article >
[ return to top ]
ensure delivery of Maine Medicine Weekly Update,
please add 'firstname.lastname@example.org' to your email address book or Safe Sender List.
If you are still having problems receiving our communications,
see our white-listing page for more details: http://www.commpartners.com/website/white-listing.htm
For more information or to contact us directly, please visit www.mainemed.com | ©