{"id":1762,"date":"2012-02-16T00:00:00","date_gmt":"2012-02-16T00:00:00","guid":{"rendered":"http:\/\/otava.test\/business-associates-must-be-hipaa-compliant-by-march-2012\/"},"modified":"2012-02-16T00:00:00","modified_gmt":"2012-02-16T00:00:00","slug":"business-associates-must-be-hipaa-compliant-by-march-2012","status":"publish","type":"post","link":"https:\/\/www.otava.com\/blog\/business-associates-must-be-hipaa-compliant-by-march-2012\/","title":{"rendered":"Business Associates Must Be HIPAA Compliant By March 2012"},"content":{"rendered":"

While the Department of Health and Human Services (HHS) shows that business associate-related HIPAA breaches were responsible for 62 percent of the total number of patient records breached (as seen in this blog post<\/a>), there has not been government legal action taken against business associates until recently.<\/p>\n

Minnesota\u2019s Attorney General is suing a business associate over an unencrypted data breach incident that occurred last year when a laptop containing 23,500 patient records was stolen from the business associate\u2019s car. Accretive Health is a licensed debt collector that also provides a patient analysis service for hospitals.<\/p>\n

Part of the reason why they were targeted may be linked to further complexity of the case \u2013 not only did Accretive Health suffer from a data breach, but the lawsuit claims they were also accessing and using patient data without the knowledge or consent of patients. One of their services provided the probability of a patient\u2019s hospital admittance and their calculated potential financial worth to the patient\u2019s healthcare provider, all based on perceived risk factors from their personal health information, according to the claim<\/a> (PDF).<\/p>\n

Another major HIPAA violation<\/a> case involving a business associate was the Department of Defense\u2019s military healthcare program, in which nearly the exact same incident<\/a> occurred \u2013 a contractor employee left an unencrypted laptop in their car and it was stolen. About 4.9 million patients were affected. A lawsuit was filed by a few of the affected patients, and in the claim, they indicated the need for all contractor employees to be properly trained in how to handle personal health information (PHI).<\/p>\n

Modifications to HIPAA Applicability<\/strong><\/p>\n

Are business associates lax on HIPAA compliance because the law has no teeth? That\u2019ll change very soon \u2013 according to HealthCareInfoSecurity.com, March 2012<\/strong> is the target date to release a final version of the HIPAA modifications and breach notification rule (also known as the Omnibus rule, meaning for all<\/em> in Latin). And in the proposed version of HIPAA modifications, business associates will be required to comply with the HIPAA standards, as seen in the change to the \u00a7164.104 Applicability<\/a> <\/strong>rule:<\/p>\n

When a health care clearinghouse creates or receives protected health information as a business associate of another covered entity, or other than as a business associate of a covered entity, the clearinghouse must comply with \u00a7164.105<\/a> relating to organizational requirements for covered entities, including the designation of health care components of a covered entity.<\/p><\/blockquote>\n

Roadmap to Achieving Compliance<\/strong><\/p>\n

How can a business associate avoid a potential HIPAA violation, subsequent lawsuits and fines? Try the following:<\/p>\n