[ Tuesday, June 23, 2009 ]
on the issues HITECH have raised regarding business associates. Two interesting points: "many" experts think business associates won't be ready to comply directly with HIPAA, and some covered entities don't even know who all their BAs are. Huh? Most BAs know they must provide privacy and confidentiality if they deal with medical records as part of their normal business; virtually all have signed business associate agreements specifically requiring them to do so. And frankly, there's not that big a difference being contractually obligated to comply (at risk of losing your business revenue) versus being directly obligated (at risk of an enforcement action). In fact, I'm willing to bet there have been a lot more contract terminations due to HIPAA breaches than enforcement actions. Also, covered entities tend to be compliance-aware; they know their businesses are highly regulated, and they know to keep up with that. I'd suspect most CEs have done a pretty good job making sure their BAs all are under BAA contracts.
Jeff [8:26 AM]
Blogger: HIPAA Blog - Edit your Template