From the Desk of Matt Fisher – ICYMI
By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
Tune in weekdays at 2pm, 10pm or 6am ET as Matt serves up the hottest healthcare issues of the day, all from a legal point of view. From public policies and Federal initiatives to privacy and security, join host Matt R. Fisher as he and his guests discuss a smorgasbord of topics, giving hospitals, physicians, vendors and patients a seat at the table. Matt’s virtual conversations can be listened to on demand or heard on air. So don’t miss a minute of what’s on the menu.
ICYMI, read the latest of Matt’s blogs. And don’t forget to join the conversation with Matt on #HCdeJure.
Business Associate Agreement Hot Points
If an organization is involved in healthcare, whether as a provider, facility, consultant, vendor or in almost any other capacity, it is highly likely that HIPAA applies to internal operations and relationships with other parties. As should be well-known, when a relationship is established with one party providing services for or on behalf of a covered entity (this means a healthcare provider, health plan, or healthcare clearinghouse), then the party providing the service is a business associate. Once a party is a business associate, then a business associate agreement (BAA) is needed. In fact, the BAA is not just needed, but mandatory and must be in place before any protected health information is shared. Continue reading on HITECH Answers.
When is Enough, Enough?
An easy to overlook aspect of the HIPAA Privacy Rule is the requirement that all uses and disclosures be of the “minimum necessary” amount of protected health information. That means the least amount of information needed for the intended purpose should be used. That is not always an easy concept to keep in mind or follow. Before diving into an example of an overreaching request, an overview of the minimum necessary requirements will be helpful. Continue reading on HITECH Answers.
What’s the Goal: HIPAA Enforcement
Compliance with HIPAA and the attendant privacy and security requirements is a frequent topic of discussion. Discussions around compliance are driven by the daily reporting of breaches and the probably more than daily issues faced by patients, clinicians and others when HIPAA is misinterpreted. In that face of all of these issues, there are not many options to turn to in order to obtain redress. Unless state law offers some alternative, HIPAA permits filing a complaint with an organization’s privacy officer, the Office for Civil Rights (OCR), or the applicable attorney general. With those options, complaints can then feel as though they disappear into a black hole. Continue reading on HITECH Answers.
Listen in on one of Matt’s Healthcare de Jure episodes.
