Resource:

HIPAA Privacy Requirements for BAs

The focus of the paper is to help business associates, and their subcontractors, determine which requesrements of the Privacy Rule pertain to them.


With the passage of the Omnibus Final Rule (OFR), Business Associates (BAs) are now subject to those Privacy Rule requirements that are applicable to their Covered Entities (CEs), in addition to relevant sections of the Security Rule and the Breach Notification Rule as shown in the regulations below (redlined for changes from the OFR).

CFR 45 Part 160 Administrative Requirements
§ 160.102 Applicability.
(a) Except as otherwise provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to the following entities:

  1. A health plan.
  2. A health care clearinghouse.
  3. A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.

 

(b) Where provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to a business associate.

CFR 45 Part 164 Subpart C – Security Rule
§ 164.302 Applicability.
A covered entity or business associate must comply with the applicable standards, implementation specifications, and requirements of this subpart with respect to electronic PHI of a covered entity.

CFR 45 Part 164 Subpart E – Privacy Rule
§ 164.504 Uses and Disclosures: Organizational requirements.

(e)(2) BA Contract. A contract between the covered entity and a business associate must: (ii) Provide that the business associate will: (B) Use appropriate safeguards and comply, where applicable, with subpart C [the Security Rule] of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract;Two other Clearwater Compliance whitepapers delve into HIPAA-HITECH regulations applicable to BAs:

  1. Primer HIPAA Rule Requirements for BAs which covers general HIPAA-HITECH requirements of BAs and
  2. Security HIPAA Rule Requirements for BAs for those organizations that create, receive, maintain or store electronic PHI. The focus of this paper is to help business associates, and their subcontractors, determine which requirements of the Privacy Rule pertains to them.

 

Clearwater Compliance is offering a complimentary whitepaper titled, “HIPAA Privacy Requirements for Business Associates (BAs)” to help these organizations determine applicable privacy regulations. This whitepaper offers the following learning opportunities: Understanding BA expectations as a result of the Omnibus Final Rule Key considerations for BAs in structuring compliance programs Points of emphasis for both Business-to-Business organizations and Business-to-Consumer companies Helpful tools, templates and educational resources

Complete the form to download the entire white paper in PDF format.