[ Sunday, January 20, 2013 ]
Nugget 2(b): The HITECH Act makes the big 3 components of the Security Rule applicable to BAs, but only "certain" provisions of the Privacy Rule. In other words, the direct liability under the Security Rule is much wider and more complete than the Privacy Rule. The Security Rule provisions applicable to BAs are the implementation of (i) administrative, (ii) physical, and (iii) technical safeguards. The Privacy Rule provisions applicable to BAs are (i) direct liability for a use or disclosure of PHI in violation of a BAA; (ii) failure to provide PHI to the Secretary, (iii) failure to provide PHI when a patient requests access to his/her EMR; (iv) failure to limit uses and disclosures to the minimum necessary; and (v) failure to enter into sub-BAAs with subcontractors.
Jeff [3:47 PM]
Blogger: HIPAA Blog - Edit your Template