HIPAA Business Associates

A party (Party) to a HIPAA Business Associate Agreement (BAA) or Subcontractor Agreement (SCA), whether a covered entity (CE), business associate (BA) or  subcontractor (SC), may struggle with the question as to whether to agree to, demand, request, submit to, negotiate or permit, an indemnification provision (Provision) respecting the counterparty (Counterparty) under a BAA or

Where did the time go?  Today’s the day – September 23, 2013.  This is compliance day for most of the Omnibus Rule changes.  I had a feeling this deadline would catch up with me faster than I would be able to blog my 10 tips, so I’m going to count “TIP TWO” as tips TWO

Unless the Department of Health and Human Services (HHS) makes another last-minute, litigation-inspired decision to delay the September 23, 2013 compliance date, we’re well into the 10-day countdown for compliance with most of the Omnibus Rule requirements.  Here’s “TIP THREE” —

TIP THREE:

Covered Entities and Business Associates:  make sure you know where your Protected

Our partner Keith McMurdy posted a timely summary of the requirements of the HIPAA Omnibus Rule for employers and benefit plan sponsors at his Employee Benefits Legal Blog.  It is reproduced below:

Lost in the Shuffle: The September 23 HIPAA Notice Requirements

By Keith R. McMurdy on September 6, 2013Posted in Plan Administration,

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) ever-lengthening parade list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”).  As reported in a previous blog post in this series,

The September 23, 2013 deadline for updating Business Associate Agreements is extended for one year under the Omnibus Rule for covered entities who have compliant Business Associate Agreements in place by Friday, January 25, 2013. This also applies to agreements between Business Associates and their subcontractors.

Covered Entities and Business Associates (as well as

On Thursday, July 8, 2010, the Department of Health and Human Services (HHS) announced proposed modifications to the HIPAA Privacy & Security Rules implementing the HITECH Act.  The proposed modifications include new requirements on business associates with regard to their subcontractors.  

The Office for Civil Rights (OCR) within HHS proposes to include in

For covered entities (CEs) who have tight privacy and security measures in place, the breach notification requirements under HITECH (amending HIPAA) might not seem especially onerous.  But what about breaches the CE doesn’t know about?  What if the CE’s business associate (BA) fails to report a breach of unsecured health information?  What if the BA

On my previous post, I left open the question of whether UPS is on the hook under HIPAA for the box of medical records that ended up in a paper scrap resale warehouse.  The brief response is not under HIPAA. 

The federal government has expressly stated that mail carriers are not considered business