to investigate or determine the business associate’s compliance with hiPaa 5. failure to provide an accounting of disclosures 6. failing to enter into business associate agreements with subcontractors that create or receive Phi on the business associate’s behalf 7. failure to comply with the requirements of the security rule billing companies and their subcontractors also remain contractually liable for all other Privacy rule obligations that are included in their business associate agreements. Business Associate Agreements the final rule clarifies that a covered entity is not required to enter into a business associate agreement with a billing company’s subcontractor. rather, the billing company that engaged a subcontractor to perform a function or service involving the use or disclosure of Phi is required to enter into a business associate agreement with the subcontractor. each business associate agreement in the business associate chain needs to be at least as restrictive as the agreement above it in the chain with respect to permissible uses and disclosures of Phi. the final rule expands the requirements of a business associate agreement by obligating a business associate to comply, where applicable, with the security rule with regard to electronic Phi; report breaches of unsecured Phi to the covered entity; and ensure that any subcontractors that create or receive Phi on its behalf agree to the same restrictions and conditions that apply to the business associate with respect to such information. Transition Period the final rule delays compliance until september 22, 2014 for a covered entity or business associate to enter into a business associate agreement with a business associate or subcontractor if, prior to january 25, 2013, the covered entity or business associate had a business associate agreement with the business associate or subcontractor, as applicable, that complied with hiPaa prior to the final rule (unless the business associate agreement was modified or actively renewed between march 26, 2013 and september 23, 2013). in all other cases, covered entities and business associates will need to execute business associate agreements with their business associates and subcontractors no later than september 23, 2013. MODIFICATION TO THE BREACH NOTIFICATION RULE Background under the hitech act, a covered entity is required to notify affected individuals and ocr following discovery of a breach of unsecured Phi; a covered entity also needs to notify the media of a breach involving more than 500 residents of a state or jurisdiction. a business associate, in turn, is required to notify a covered entity following discovery of a breach of unsecured Phi at or by the business associate. on august 24, 2009, ocr issued an interim final rule implementing the hitech act’s breach notification provisions (“breach notification interim rule”). in the breach notification interim rule, a “breach” is defined as the acquisition, access, use, or disclosure of Phi in a manner not permitted under the Privacy rule that “compromises the security or privacy” of the Phi, with certain exceptions. moreover, under the breach notification interim rule, “compromises the security or privacy” of the Phi is defined to mean that an impermissible use or disclosure of Phi poses a significant risk of financial, reputational, or other harm to the individual (the “harm standard”). Revised Definition of “Breach” the final rule significantly revises the definition of “breach” to clarify that an impermissible use or disclosure of Phi is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the Phi has been compromised. by replacing the “harm standard” with this “low probability” standard, it is more likely under the final rule than under the breach notification interim rule that covered entities and business associates will determine that an impermissible use or disclosure of Phi “compromises the security or privacy” of the Phi, resulting in many required breach notifications that would not have been required previously. Modification of Risk Assessment under the final rule, to determine whether there is a low probability that Phi has been compromised, covered entities and business associates need to conduct a risk assessment that considers at least the following factors: • the nature and extent of the Phi involved, including the types of identifiers and the likelihood of re-identification; • the unauthorized person who used the Phi or to whom the disclosure was made; • whether the Phi was actually acquired or viewed; and • the extent to which the risk to the Phi has been mitigated.
Billing_MJ13
To see the actual publication please follow the link above