HIPAA Privacy Rule

The HIPAA Privacy Rule applies to health plans, health care clearinghouses, and health care providers. Most health care providers and health plans do not carry out all of their health care activities and functions by themselves; they require assistance from a variety of contractors and other businesses. In allowing providers and plans to give protected health information (PHI) to these "business associates," the Privacy rule conditions such disclosures on the provider or plan obtaining, typically by contract, satisfactory assurance that.

 
The business associate will use the information only for the purposes for which the associate was engaged by the covered entity.
 
They will safeguard the information from misuse.
 
They will help the covered entity comply with the covered entity's duties to provide individuals with access to health information about them and a history of certain disclosures.

PHI may be disclosed to a business associate only to help the health care providers and health care plans carry out their health care functions - not for independent use by the business associate.

VIS Compliance


HIPAA Requirement VIS Compliance
1. Information Access Control
Limits access to the application by:
User ID and Password YES
Role-based access YES
Context-based access YES
User-based access YES
Note: HIPAA requires at least one access control mechanism to be present
 2. Auto Log-off
Time out mechanism to define an automatic log-off from application if no activity occurs within a designated time. YES
 3. Audit Logging
Provides adequate report within the application with retro activity for last 3 months when patient data is:
Accessed YES
Changed (add or edit activity) YES
Deleted YES
 4. User Authentication
Uniquely identifies a user by:
Password (Encrypted) YES
Personal Identification Number (PIN) YES
Telephone Callback N/A
Token N/A
Note: HIPAA requires at least one user authentication method to be present

VIS Contract Specifics

Under HIPAA, covered entities cannot disclose PHI to business associates unless the two have entered into a written contract that meets HIPAA requirements. These assurances must be documented in a written contract or other written agreement with the business associate. While implementing the HIPAA privacy rule in letter and spirit, VIS enters into a business associate contract with all its clients to confirm that the company:

 
Does not use or disclose the PHI for any purpose other than stated in the contract.
 
Does not use or disclose PHI in a manner that would violate the requirements of this rule if done by the covered entity.
 
Maintains safeguards as necessary to ensure that the PHI is not used or disclosed except as provided by the contract. VIS also reports to the covered entity any use or disclosure of the PHI not provided for in the contract.
 
Ensures that any subcontractors or agents to whom it provides PHI received from the covered entity will agree to the same restrictions and conditions.
 
Establishes how the covered entity would provide access to PHI to the subject of that information when VIS has made any material alteration in the information.
 
Makes available its internal practices, books, and records relating to the use and disclosure of PHI received from the covered entity to HHS or its agents.
 
Establishes how the covered entity would provide access to PHI to the subject of that information in circumstances where the business associate holds the information and the covered entity does not.
 
Incorporates any amendments or corrections to PHI when notified by the covered entity that the information is inaccurate or incomplete.
 
At termination of the contract, VIS returns or destroys all PHI received from the covered entity that it still maintains.
 
Authorizes the covered entity to terminate the contract, if the covered entity determines that the business associate has repeatedly violated a term required by this rule.

How to ensure your contracts/agreements are compliant with the HIPAA regulations

Under the HIPAA regulations, covered entities will need to enter into business associate agreements prior to contracting the services of any business associate. Each organization will need to take certain steps in order to bring business associate agreements into compliance:

Inventory all existing agreements: Determine which are business associate agreements and, of those, which will be in effect from the date of compliance. Check all formal agreements, letter agreements and any oral agreements.

Know the rules: Ensure that the individual drafting the business associate agreements understands the relevant HIPAA regulations. A lawyer should review all agreements to make certain that all HIPAA requirements are contained in the agreement.

Draft model language: Adopt model language for all new and existing contracts. Ascertain if it is appropriate or needs to be modified for the specific contract in question.

Establish a work plan: Create a work plan to enter into negotiations with business associates with whom your organization has agreements that needs to be amended.

Model HIPAA Contract

VIS provides with a model HIPAA compliance contract that can be evaluated by your legal counsel to make sure that they contain all the required components necessary under the new HIPAA regulations.

 
Copyright © 2005 VISION Infotech. All Rights Reserved.