[ Saturday, January 19, 2013 ]
Nugget No. 4: If you are a hybrid entity, you can segregate your covered-entity-like functions from the rest of your operations, and only the CE-like part of your operations must comply with HIPAA. However, if another part of your organization provides business-associate-like functions for the CE-like part, you used to be able to keep that part separate. Not anymore: since an entity can't have a BAA with itself (why not, he asked), the BA-like parts of the entity must be included in the CE-like part. Actually that kinda makes sense, although you certainly could cure it with an internal BAA. So, if you're a hybrid entity, make sure any part of the organziation that touches PHI is included in the CE-like part.
Jeff [10:54 AM]
Blogger: HIPAA Blog - Edit your Template