Hospitals and other provider organizations should be working with their business associates now to prepare for compliance with updated federal data privacy and security provisions under the American Reinvestment and Recovery Act. That's the advice of May Thomason, senior compliance consultant at Intermountain Healthcare, a Salt Lake City-based delivery system.

As a result of ARRA, business associates must comply with the HIPAA privacy and security rules that were modified under the law. Business associates also will be subject to the same penalties as covered entities, such as hospitals and physician groups, for privacy and security violations.

Business associates are organizations that provide a service for a covered entity and use protected patient information to provide that service, Thomason said. Business associates now must notify providers when a data security breach involving patient data occurs, she notes.

At the American Health Information Management Association convention Oct. 5 in Grapevine, Texas, Thomason offered the following advice:

  • Be certain that all business associate agreements spell out all the details on the timing and content of security breach notifications. "You want to know quickly if there's been a breach," Thomason said.
  • Make sure you have current contact information for key business associate staffers who handle privacy/security issues. Intermountain also wrote a letter to all 500 of its business associates in September, notifying them about who they could contact around-the-clock at the provider organization regarding security breaches.
  • Be prepared to demonstrate to the Department of Health and Human Services' Office for Civil Rights how your organization is complying with privacy and security requirements. The office will be conducting compliance audits of both business associates and covered entities.

This article can also be found at HealthDataManagement.com.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access