This week, the 1st Edition of a new document that provides direction and guidance for compliance with the HITECH Act's Security Rule is available on the HITECH/HIPAA Survival Guide website . Need
documents that will help with your compliance initiatives? If so then
check out the HSG
Here is an excerpt from its introduction:
Business Associate Compliance under HITECH
Until the HITECH Act was enacted into law on February 17, 2009, as part of ARRA, a business associate’s compliance with HIPAA’s regulations was mandated only as part of the contract (see 164.504(e)(1) ) with its respective Covered Entity (“CE”). Under HITECH a BA is “directly on the hook” (i.e. via statutory authority) for complying with the following sections of the SR:
1. Administrative Safeguards (see §164.308 );
2. Physical Safeguards (see §164.310 );
3. Technical Safeguards (see §164.312 ); and
4. Policies and Procedures and Documentation Requirements (see §164.316 ).
BA compliance with the required sections of the SR were to go into effect one year post the enactment of HITECH, however, HHS (circa February 2010) delayed the compliance effective date for BA’s, apparently to provide a little more breathing room to the impacted entities (see HITECH Effective Dates One Year Out).
In addition to the sections enumerated above, HITECH Section 13401 states as follows:
The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.
In short, a BA must comply with the enumerated sections above in the same way a CE is required to comply, and must also comply with any additional HITECH security requirements imposed upon a CE. Finally, any additional HITECH security requirements must be incorporated into the contract between the respective parties.
The framework in this guide discusses each of these areas in enough detail to enable providers and facilities to establish and maintain HITECH compliant technology architecture and processes.
Discussion in the guide also covers issues addressing Electronic PHI vs. oral and paper PHI. It provides a strategic approach for managing Business Associates' risk management.
As we all know, there are no perfect standards or frameworks, but theBusiness Associates Guide to The Security Rule is a great place to start. It also contains links to specific areas of the law and regulations that can be found on the HITECH/HIPAA Survival Guide Website providing further resources and material.