Business Associates Need to Understand HIPAA & HITECH Requirements

 Even though the full extent of the HIPAA and HITECH requirements will not be required for Business Associates until 2011, my experience with helping organizations reach compliance with appropriate security requirements suggests that compliance efforts should begin right away.  Proposed changes to the rules can be viewed at regulations.gov (https://www.regulations.gov/search/Regs/home.html#documentDetail?R=HHS-OCR-2010-0016-0001).The deadline for submitting comments has passed on August 13^th; however I would be surprised to find significant changes from those that have been proposed.

With Business Associates having to comply with the same requirements as Covered Entities, there are many important requirements with regard to handling ePHI.  Companies should quickly become familiar with:

1. Performing periodic risk assessments that include ePHI – Organizations may decide to use guidance provided by HHS or use their own discretion.
2. Ability to respond to ePHI access inquiries – Just as covered entities, BAs need to be able to respond to requests regarding access to individual’s ePHI.
3. Incident investigation timeframe – In accordance with the HITECH requirements, responding to security incidents and issuing appropriate breach notifications must take place within a relatively short timeframe. While 60 days may not seem very short, having participated in a number of incident investigations, I can assure that this is not a lot of time.

Implementation of the above mentioned requirements may warrant creating new or modifying existing policies, implementing new security controls, and providing training for IT staff and other ePHI custodians.  Failure to comply with policies and practices may cause the company to be viewed as negligent, triggering significantly higher fines and possible consequences for company leadership.  For those companies who have relatively new security and privacy programs, I strongly recommend referencing HITRUST Common Security Framework (CSF) for detailed implementation requirements for individual HIPAA and HITECH controls.  While this may be seen as over-kill for small Business Associate organizations, the range of control implementation considerations will help organizations realize all possible consequences of these healthcare regulatory requirements.  With implementation of some of the more technical controls requiring considerable cost and operational changes, organizations should take advantage of the time before the requirements have been mandated and companies  fall into the scope of the HIPAA and HITECH enforcement efforts.