Agency Liability the final rule makes covered entities and business associates liable for the acts of their business associate agents, regardless of whether the covered entity or business associate knew of the violation or had a compliant business associate agreement in place. according to ocr, the key factor in determining whether an agency relationship exists between a covered entity and its business associate, or between a business associate and its subcontractor, is the principal’s right to control the agent’s conduct in the course of performing a service on behalf of the principal. ocr observes that a business associate agent’s conduct generally is within the scope of agency when its conduct occurs during the performance of the assigned work or incident to such work, regardless of whether the work was done carelessly, a mistake was made in the performance, or the business associate disregarded a covered entity’s specific instruction. ocr further observes that, in contrast, a business associate agent’s conduct generally is outside the scope of agency when its conduct is solely for its own benefit (or that of a third party), or it pursues a course of conduct not intended to serve any purpose of the covered entity. to protect itself, a billing company’s services agreement with a subcontractor should specify that the subcontractor is engaged as an independent contractor, not as an agent, and the billing company does not have the right to control the subcontractor’s performance. RECOMMENDED ACTION ITEMS although billing companies and their subcontractors have until september 23, 2013 to fully comply with the final rule, they should begin preparing soon in light of the significant number of new or modified compliance obligations. in particular: • covered entities will need to revise, negotiate, and execute business associate agreements with billing companies compliant with the final rule by september 23, 2013 to the extent they did not have business associate agreements in place as of january 25, 2013 that were hiPaa compliant. they have until september 22, 16 hbma billing • may. june.2013 2014 to do so to the extent they had business associate agreements in place as of january 25, 2013 that were hiPaa compliant. ocr gives a fair amount of latitude in the content of business associate agreements, so it is important for billing companies to ensure that they are not overcommitting to responsibilities or deadlines that are not required under hiPaa. • billing companies that use subcontractors that create, receive, maintain, or transmit Phi on their behalf will need to draft, negotiate, and execute business associate agreements with them by september 23, 2013. billing companies will need to ensure that these business associate agreements are at least as stringent as their business associate agreements with covered entities, and enable billing companies to meet deadlines in their business associate agreements with covered entities. • billing companies, including subcontractors, will need to conduct a security risk assessment, implement a written hiPaa security plan, designate a security official, and create certain written hiPaa privacy policies by september 23, 2013 to the extent they have not already done so. ocr has posted guidance on compliance with the hiPaa security rule found at www.hhs.gov/ocr/privacy/ hipaa/administrative/securityrule that may be helpful to billing companies and their subcontractors and facilitate their compliance efforts. • billing companies and their subcontractors will need to perform a gap analysis to determine what hiPaa policies and procedures need to be revised to comply with the final rule, and then will need to revise them by september 23, 2013 based on the gap analysis. • billing companies and their subcontractors will need to update by september 23, 2013 their breach notification policies and any tools concerning how to conduct a risk assessment to determine whether breach notification is required. (How the New HIPAA Regulations Affect Billing Companies... continued) In the press release announcing the Final Rule, OCR Director Leon Rodriguez proclaimed that the Final Rule “marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.”
Billing_MJ13
To see the actual publication please follow the link above