Related Links

Hospitals and other provider organizations should be working with their business associates now to prepare for compliance with updated federal data privacy and security provisions under the American Reinvestment and Recovery Act. That's the advice of Mary Thomason, senior compliance consultant at Intermountain Healthcare, a Salt Lake City-based delivery system.

As a result of ARRA, business associates must comply with the HIPAA privacy and security rules that were modified under the law. Business associates also will be subject to the same penalties as covered entities, such as hospitals and physician groups, for privacy and security violations.

Business associates are organizations that provide a service for a covered entity and use protected patient information to provide that service, Thomason said. Business associates now must notify providers when a data security breach involving patient data occurs, she notes.

At the American Health Information Management Association convention Oct. 5 in Grapevine, Texas, Thomason offered the following advice:

* Be certain that all business associate agreements spell out all the details on the timing and content of security breach notifications. "You want to know quickly if there's been a breach," Thomason said.

* Make sure you have current contact information for key business associate staffers who handle privacy/security issues. Intermountain also wrote a letter to all 500 of its business associates in September, notifying them about who they could contact around-the-clock at the provider organization regarding security breaches.

* Be prepared to demonstrate to the Department of Health and Human Services' Office for Civil Rights how your organization is complying with privacy and security requirements. The office will be conducting compliance audits of both business associates and covered entities.

--Howard Anderson