News Feature | May 18, 2015

HIT.gov Provides Guide For Business Associates, Including VARs And MSPs

By Megan Williams, contributing writer

HIT.gov Provides Guide For Business Associates, Including VARs And MSPs

HealthIT.gov has released a Guide To Privacy And Security Of Electronic Health Information. Here are the points that apply most to solutions providers who quality as business associates.

The Guide

As it describes itself, the guide was created to help healthcare organizations “comply with federal requirements and federal programs’ requirements administered through the U.S. Department of Health And Human Services (HHS) agencies and offices.” In respect to business associates (BAs), this primarily pertains to the HIPAA Privacy, Security, and Breach Notification rules and their updates in the HIPAA Omnibus Final Rule of 2013.

Who Qualifies As A BA

The guide defines BAs as including:

  • Health information organizations and exchanges (HIOs and HIEs)
  • Subcontractors to BAs that receive, maintain, or transmit PHI (protected health information) on behalf of the BA
  • A person who provides data transmission services involving routine access to PHI to a covered entity
  • An entity that a covered entity contracts with to provide patients access to their personal health records on behalf of the covered entity.
  • E-prescribing gateways

Illustrative scenarios to help clarify who is and who is not a BA are also provided on page 12.

BA Responsibilities Under HIPAA

The document lays out BA responsibilities and how their behavior intersects with patient rights in regard to the Privacy Rule, The Security Rule, and the Breach Notification Rule (pg 10). In regard to BA liability, the guide specifies, “BAs are directly liable for violating the HIPAA Security Rule and Breach Notification Rule as well as certain provisions of the Privacy Rule. Liability may attach to BAs, even in situations in which the BA has not entered into the required agreement with the CE.”

BA requirements regarding the HIPAA Security Rule, the creation, transmission, receipt, and maintenance of health information is outlined on page 26 and explained in more detail on page 27.

BAs And Patient Access To Information

Page 23 of the guide covers patient rights to access their information and how that impacts BAs. It specifies that under Meaningful Use requirements, any covered entity that demonstrates Stage 2 compliance is required to respond to patient requests to transmit electronic copies to the person or entities they choose. BAs and EHR (electronic health records) developers must cooperate with that obligation.

For Your Clients

The guide also includes a process for developing and enacting plans to comply with national guidelines. They include advice on identifying and contacting BAs about written agreements and responsibilities, as well as specifying the need for those agreements to include requirements around training, compliance with safeguards, and adherence to additional requirements (pg 53).

Additional topics include:

  • Medical record retention via HIEs (pg 55)
  • Breach notification and HIPAA enforcement (pg 56)
  • Penalties for violations (pg 60)

Going Deeper

To read more on the question of federal regulations and vendor responsibilities, please read “How Does HIPAA Apply To VARs?”