| HIPAAdvisory > HIPAAction > HIPAAnotes > Archives |  |
|
HIPAAnotes Volume One, May 2001No. 25 HIPAAdetail: Business Associate vs Chain of TrustHow do we interact with other businesses? What happens to protected data when it leaves the organization? HIPAA uses two agreements, Business Associate and Chain of Trust, to describe and prescribe these relationships. The privacy reg outlines a Business Associate contract, which concerns the use and disclosure of patient information. Business associates must protect patient health information disclosed to it from a covered entity. Generally, a business associate is someone who performs a service
or function on behalf of the covered entity. In doing this, the
associate receives protected health information. Examples of business
associates include lawyers, auditors, The proposed security reg requires a Chain of Trust agreement,
where the parties agree to electronically exchange data and to protect
the transmitted data. The chain of trust relationship is between
the sender and receiver. So, a number of agreements may be involved
as the data is moved from the originator to the For more information on these contracts, go to: No. 26 TechTerm: Application Service Provider (ASP)Here's yet another acronym for you: ASP. ASPs are Application Service Providers. An ASP provides remote access to applications, typically over
the Internet. ASPs are used when an organization finds it more cost
effective to have someone else host their applications than to do
it themselves. The ASP provides the "backend" The ASP's potential is to cut the healthcare user's capital expenditures. Additionally, the ASP is responsible for upgrading and maintaining the software. Using ASPs can give an organization predictable costs to budgets while reducing the risk of big capital investments in new software licenses and hardware. An ASP can provide an application as simple as a web-based e-mail or it can be a more complex multi-entity patient scheduling system. Most work on a monthly or yearly subscription fee. The role of ASPs has broadened lately. There are now WASPs (Web ASPs), Storage Service Providers, Management ServiceProviders, and Hosting Service Providers. For more information on HIPAA-related technology, go to: No. 27 HIPAAdetail: Media Matters Sometimes the press is interested in who is being treated and
why. Celebrities and public figures are of interest to the press,
as are victims of terrorist acts, natural HIPAA allows "directory information" to be given to the press if the patient is asked for by name. Directory information is the patient's location in the hospital and condition in general terms (e.g., fair, stable). Patients must be allowed to "opt-out" of the directory and have some or all of their information restricted. In the case of disasters, directory information can often assist in disaster relief efforts. Hospitals may give this information only to organizations authorized to assist in such efforts. For more information on the Privacy Rule, go to: No. 28 HIPAAterm: Privacy OfficialWonder what the "privacy official" will do in your organization? The HIPAA Privacy regulation requires the designation of a privacy official, who is responsible for the development and implementation of policies and procedures. In other words, the privacy official is not necessarily a position title, but a designated person who is responsible for HIPAA Privacy reg compliance. The privacy official's tasks may be delegated to a committee and/or others within your organization. The responsibility of the position cannot be delegated as well. The Security NPRM does not require a "security official." The "assigned security responsibility" might be done under the auspices of the "privacy official." Other entities may assign these responsibility to someone specifically technically competent in securing PHI in a systems environment. For more information, go to: No. 29 HIPAAtech: A HIPAA ASPA little while ago, we discussed ASPs (Application Service Providers). To sum up, an ASP provides remote access to applications, typically over the Internet. If a covered entity sends patient data to an ASP, HIPAA security and privacy controls should be in place. This includes user authentication, access control, data integrity and confidentiality. The ASP should make the technology side of this transparent. An ASP would be considered a business associate engaged in a chain of trust agreement with the organization. Now, ASPs not only have to be evaluated by healthcare users on their business merits but also on their ability to fit in with your HIPAA compliance plans. For more information on HIPAA-related technology, go to:
|
