Options for Firms With and Without Their Own Email Servers
rm360 rm360plus

 Follow The Industry Radar
 facebook-32x32  ty  re ew  qw  ds
Loading. Please wait...

AddThis Feed Button

Everything a BA or CE Needs to Know in One Place

Click Below on the pictures below for our webinar slides and for our white paper and other resources for you and your organization


 7/2010 - New HIPAA HITECH Rules - Blog Update


Slide Deck from
8/25 Webinar

Email us or call 404-418-5550 if we can help you "Get Compliant, Stay Compliant and Protect Your Clients ePHI"

What BA's and CE's Must Do To Be HIPAA HITECH Compliant

Updated Verbatim friom HHS NPRM Guidance 7/2010:

“We assume that business associates in compliance with their contracts (editor - i.e carrier BA agreements) would have already:

  1. designated personnel to be responsible for
  2. formulating the organization’s
    1. privacy and
    2. security policies,
  3. performed a risk analysis, and
  4. invested in hardware and software to prevent and monitor for
    1. internal and
    2. external breaches of protected health information.”

What is HITECH: The Health Information Technology for Economic and Clinical Health Act (HITECH) significantly expanded the reach of the HIPAA Privacy Rule and Security Rule, along with the corresponding penalties. 

What does HITECH Do?

  • HIPAA now applies to HIPAA to covered entities (CE) business associates (BAs) directly. 
  • HITECH includes a statutory obligation for BAs to comply with HIPAA.
  • HITECH also requires PHI breach notification, which was not part of the original HIPAA rules. 
  • HITECH also substantially increased the penalties for HIPAA violations

Why HITECH Applies to You – Brokers/agents are BA’s if they have BA agreements with any insurer and/or receive, create, transmit or maintain personal health information (PHI). Census, enrollment, claims info et al are PHI.

Required Compliance Activities Overview - These actvitites need to be done by all BA’s, regardless of size:

  • Appoint a chief privacy/security officer
  • Do a full risk assessment of you business, get a gap analysis and focus on those areas to fix
  • Privacy and Security Policies Documented and in place
  • Implement all HIPAA security administrative, technical and physical safeguards
  • Get encryption in place for all PHI your organization handles and communicates
  • Update/establish business associate agreements with your clients and vendors
  • Conduct privacy and security workforce training
  • Comply with new notification rules for breach of unsecured PHI

New Breach Rules -  HITECH establishes mandatory federal breach reporting requirements for HIPAA CE’s and their BA’s, as well as a new “Tattle” rule which requires BA’s to report their CE’s breaches. It also requires local media notification as mandatory if a breach involves 500 or more lives in one state.

New Enforcement and Penalties - State Attorneys General to can now take legal action on HIPAA privacy/security violations. CT took the first action against Health Net last month.  BAs that violate the security and privacy provisions of HIPAA are subject to the same new and beefed up civil and criminal penalties as a covered entity:




Maximum per Year

Tier A - Did not Know



Tier B - Reasonable cause, not willful neglect



Tier C - “Willful Neglect”, corrected



Tier D - “Willful Neglect”, uncorrected



Compliance Deadline – Was 2/17/2010. Failure to be compliant will likely be viewed as “willful neglect”. There is no such thing as partial compliance. It is all or nothing for all CE’s and BA’s, not just you.