Chaz Posted April 15, 2013 Posted April 15, 2013 Are business associates specifically required under the final HITECH regulations to appoint a privacy officer? If so, can someone provide the applicable regulation, as I can't seem to find one. Thanks!
GBurns Posted April 15, 2013 Posted April 15, 2013 If you look at the Sample Business Associates Agreements on the HHS website you will see that the Agreement must state that the BA is required to implement safeguards including the HIPAA Security Rules. The Security rules require a security official. See 45 CFR 164.308(a)(2).There are Summaries on the upper left. George D. Burns Cost Reduction Strategies Burns and Associates, Inc www.costreductionstrategies.com(under construction) www.employeebenefitsstrategies.com(under construction)
Chaz Posted April 15, 2013 Author Posted April 15, 2013 If you look at the Sample Business Associates Agreements on the HHS website you will see that the Agreement must state that the BA is required to implement safeguards including the HIPAA Security Rules. The Security rules require a security official. See 45 CFR 164.308(a)(2).There are Summaries on the upper left. Does that requirement also extend to appointing a Privacy Officer as well?
GBurns Posted April 16, 2013 Posted April 16, 2013 The Summary does say: "Privacy Personnel. A covered entity must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices." I guess that the Security Officer could also be 1 of the 2 privacy personnel positions which, as I was advised, could be held by 1 person In other words 1 person 3 functions.You might want to read the actual wording of the statute at 45 CFR 164.530(a).. George D. Burns Cost Reduction Strategies Burns and Associates, Inc www.costreductionstrategies.com(under construction) www.employeebenefitsstrategies.com(under construction)
Chaz Posted April 16, 2013 Author Posted April 16, 2013 I think I found my answer in the preamble to the final rule (see emphasis added): Some commenters requested clarification asto which provisions of the Privacy Rule applydirectly to business associates, and onecommenter recommended applying allof the provisions of the Privacy Rule tobusiness associates, including requiringbusiness associates to implementreasonable safeguards, train employees,and designate a privacy official. . . . . As we discuss further below, section13404 of the HITECH Act creates directliability for impermissible uses anddisclosures of protected healthinformation by a business associate of acovered entity ‘‘that obtains or creates’’protected health information ‘‘pursuantto a written contract or otherarrangement described in§ 164.502(e)(2)’’ and for compliancewith the other privacy provisions in theHITECH Act. Section 13404 does notcreate direct liability for businessassociates with regard to compliancewith all requirements under the PrivacyRule (i.e., does not treat them as coveredentities). Therefore, under the final rule,a business associate is directly liableunder the Privacy Rule for uses anddisclosures of protected healthinformation that are not in accord withits business associate agreement or thePrivacy Rule. In addition, a businessassociate is directly liable for failing todisclose protected health informationwhen required by the Secretary to do sofor the Secretary to investigate anddetermine the business associate’scompliance with the HIPAA Rules, andfor failing to disclose protected healthinformation to the covered entity,individual, or individual’s designee, asnecessary to satisfy a covered entity’sobligations with respect to anindividual’s request for an electroniccopy of protected health information.See § 164.502(a)(3) and (a)(4). Further, abusiness associate is directly liable forfailing to make reasonable efforts tolimit protected health information to theminimum necessary to accomplish theintended purpose of the use, disclosure,or request. See § 164.502(b). Finally,business associates are directly liable forfailing to enter into business associateagreements with subcontractors thatcreate or receive protected healthinformation on their behalf. See§ 164.502(e)(1)(ii). As was the caseunder the Privacy Rule before theHITECH Act, business associates remaincontractually liable for all other PrivacyRule obligations that are included in their contracts or other arrangementswith covered entities.
GBurns Posted April 16, 2013 Posted April 16, 2013 So what is your conclusion? George D. Burns Cost Reduction Strategies Burns and Associates, Inc www.costreductionstrategies.com(under construction) www.employeebenefitsstrategies.com(under construction)
Chaz Posted April 16, 2013 Author Posted April 16, 2013 That BAs do not need to comply with the full panoply of the Privacy Rule's requirements, including appointing a privacy official. They only need to comply with the items specified starting with the sentence that begins "Therefore" above. Thoughts?
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now