HITECH & HIPAA & BAA
We first touched on this issue in a September, 2009 blog post, “HITECH & BAA & Vendor Credentialing.” At that time, Vendormate hospitals were brainstorming about how to approach the new data security and breach notification requirements with their existing business associates. They also fretted that healthcare service business associates would balk at this requirement.
Now 18 months later, tweets by @HITNewsTweets alerted me to “HITECH Could Catch Healthcare Service Providers With Their Pants Down” over at TechNewsWorld. In this article, Ed Moyle tells the healthcare service provider community that it is their responsibility to figure out whether or not they are a business associate. After that, determine what the security requirements are. He even offers the hope that compliance with other security regulations like PCI are likely similar to what is needed for HITECH.
Writing from the vendor point of view, he takes what at first could be something else to grumble about and turns it around:
The providers that you service and support are going to be looking for a willingness to work with them as a business associate — through, for example, execution of a business associate agreement as well as being able to answer specific questions about how you address the requirements. It’s not the end of the world that these requirements you might not already know about apply to you. By educating yourself to the point that you can demonstrate knowledge of — and can tell a convincing story about how you address — the requirements, you not only satisfy regulatory requirements but you can also demonstrate a potential competitive advantage.