In 2000, the federal government issued a privacy regulation as part of the Health Insurance Portability and Accountability Act (HIPAA) administrative simplification. This regulation affects health plans, providers and data clearinghouses (known as "covered entities"), which are expressly covered by the HIPAA legislation. The regulation require covered entities to implement protections for individually identifiable health information, and to set policies, procedures and practices to ensure that this protected health information (PHI) is used and disclosed appropriately.

However, when writing the regulation, the federal government recognized that covered entities are not the only organizations in today's health care market that handle PHI. Health plans, providers and clearinghouses often share PHI with vendors and subcontractors, who may generate additional PHI as part of their services. Therefore, the regulation require that covered entities obtain "satisfactory assurance" from these "business associates" that they are able to protect, use and disclose PHI in an appropriate manner.

In turn, business associates must obtain similar assurances that their subcontractors and vendors are able to handle PHI appropriately. According to the regulation, the satisfactory assurances from business associates must be in the form of a contract or other agreement. Covered entities, which must be in compliance with other portions of the HIPAA privacy regulation by April 2003, must obtain new or renegotiated contracts and agreements with business associates by April 2004.

Although the HIPAA privacy regulation is specific as to the obligations of covered entities for their own handling of PHI, the requirements for business associates are not - Covered entities must implement specific provisions in contracts and agreements with business associates, but the Department of Health and Human Services (HHS) provides no guidance on how covered entities should verify those assurances.

As part of their efforts to obtain those assurances, covered entities are likely to conduct due diligence with their business associates, to document their abilities to handle PHI. Business associates, on the other hand, are concerned that due diligence from covered entities will limit their ability to conduct business, while at the same time wanting to provide satisfactory assurances to their covered entity clients.

The new HIPAA requirements mean that covered entities will be forced to approach contracting with business associates in a fundamentally different way, with confidentiality and security of PHI at the top of their list of concerns.

HIPAA Solutions' Privacy Certification for Business Associates Program will significantly help covered entities select business associates with whom to contract.

Our Privacy Certification for Business Associates Program can reduce the burdens of cost, time and effort expended by both covered entities and business associates by reducing the cost of due diligence and oversight.

These costs can be significant. For example, some covered entities are requiring their business associates to submit all privacy policies and procedures for prior review and approval. Other covered entities are requiring the right to come on site to audit books and records related to privacy compliance. Eliminating the need for this kind of review will benefit covered entities and business aal ossociates alike.

For more information on HIPAA Solutions Rx products and services, email info@hipaarx.net or call 866-447-2211.