Q. In the April issue of BOH, one of the Q&As discussed who must send out breach notification letters if the business associate (BA) was responsible for the breach. The answer was covered entities. Didn’t HITECH make BAs covered entities?
Dena Boggan, CPC, CMC, CCP, chuckled when someone recently suggested that her staff audit some patient records.
“I wish I had a staff,” laughed Boggan, HIPAA privacy/security officer at St. Dominic Jackson (MS) Memorial Hospital.
However, this is fairly typical in many healthcare settings, where HIPAA privacy and security officers often are the only individuals who are responsible for compliance.
The HIPAA Security Rule requires covered entities (CE) to conduct periodic evaluations of their information security programs.
However, Phyllis A. Patrick, MBA, FACHE, CHC, wonders how many organizations have completed the kind of evaluation the Security Rule standard requires.
On July 8, HHS released a proposed rule to modify the HIPAA privacy, security, and enforcement rules, extending HIPAA compliance requirements to subcontractors of business associates (BA) and strengthening patient rights to health information privacy.
The HITECH Act includes new privacy requirements that allow for stronger individual rights to access electronic health records (EHR) and restrict the disclosure of certain PHI.
