Accidental receipt of or incidental access to PHI outside your contracted job duties does not trigger business associate obligations. If you want to avoid business associate obligations, the safest course is to ensure that you do not handle PHI on behalf of either a covered entity or a business associate of a covered entity. Entities that do not create, receive, maintain, or transmit PHI. The following are not business associates and may properly decline to execute a business associate agreement:ġ. Given the cost of compliance and penalties for noncompliance, entities may want to avoid becoming a "business associate" or executing business associate agreements if possible. In addition to regulatory penalties, business associates who fail to comply with business associate agreements may also be liable for contract damages and/or indemnification requirements set forth in the business associate agreement.Īvoiding Business Associate Requirements. Similarly, each day that a covered entity or business associate fails to implement a required policy constitutes a separate violation. For example, the loss of a laptop containing hundreds of patients' PHI may constitute hundreds of violations. A single breach may result in numerous violations. If the business associate acted with willful neglect and fails to correct the violation within thirty (30) days, the OCR must impose a penalty of at least $50,000 per violation. If the violation resulted from willful neglect, the Office of Civil Rights ("OCR") must impose a penalty of at least $10,000 per violation. (45 CFR 164.314(a) and 164.504(e)).īusiness associates who violate HIPAA may be subject to penalties of $100 to over $50,000 per violation. If the business associate uses subcontractors or other entities to provide any services for the covered entity involving PHI, execute business associate agreements with the subcontractors. Report security incidents and privacy breaches to the covered entity. If the covered entity discloses only a "limited data set" to the business associate, the parties may execute a data use agreement instead of a full business associate agreement. For more information about business associate agreements, see the attached Checklist for HIPAA Business Associate Agreements. Execute and perform according to written business associate agreements with covered entities that essentially require the business associate to maintain the privacy of PHI limit the business associate's use or disclosure of PHI to those purposes authorized by the covered entity and assist covered entities in responding to patient requests concerning their PHI. Implement specified administrative, technical and physical safeguards to protect the integrity, confidentiality, and availability of electronic PHI ( e.g., establish access controls use firewalls, virus protections, and encryption backup data implement appropriate security policies and procedures etc.). Perform and document a security risk assessment of its information systems containing electronic PHI. In general, an entity that is a "business associate" under HIPAA must do the following:ġ. To determine if an entity is a business associate, see the attached Business Associate Decision Tree.īusiness Associate Requirements.
Also, with very limited exceptions, a subcontractor or other entity that creates, receives, maintains or transmits PHI on behalf of a business associate is also a business associate.
"A covered entity may be a business associate of another covered entity." ( Id.). A "business associate" is generally a person or entity who "creates, receives, maintains or transmits" protected health information ("PHI") in the course of performing services on behalf of the covered entity ( e.g., consultants management, billing, coding, transcription or marketing companies information technology contractors data storage or document destruction companies data transmission companies or vendors who routinely access PHI third party administrators personal health record vendors lawyers accountants malpractice insurers etc.) ( See 45 CFR 160.103). The HIPAA privacy rules now apply to both covered entities ( e.g., healthcare providers and health plans) and their business associates.
0 kommentar(er)
