How do you ensure Electronic protected health information (ePHI) is safeguarded when a contract between a Covered Entity and a Business Associate ends? Especially when there is a dispute.
A Business Associate Agreement between a Covered Entity and their Business Associate must clearly spell out the following in order to safeguard ePHI:
– Will the ePHI be returned or destroyed?
– When will the Business Associate do so?
– In what form will the returned information be?
– Are there circumstances that can make return or destruction of the information unfeasible? E.g. technical issues or litigation
It is best to have frank discussions and potentially add specificity in this area in the contract. Not every business associate relationship is created equal, so covered entities may wish to prioritize negotiating these points in certain high-risk situations, such as where the business associate maintains the primary copy of the protected health information.
Covered entities should also consider these circumstances in their information security risk analysis and contingency planning, so that they are prepared if a problem with respect to a business associate returning or destroying protected health information arises.
There have been a number of dispute cases recently, such as the recent Texas/Xerox and Full Circle/CompuGroup battles involving patient data and it is catching the attention of government regulators. OCR seems to be particularly concerned about these issues, and may closely scrutinize incidents where a business associate refuses to return or destroy protected health information.
Latest posts by EHR 2.0 (see all)
- Trump Administrations’ Effect on Healthcare Organizations - January 23, 2017
- HIPAA Fine for Lack of Timely Breach Notification - January 11, 2017
- HIPAA Compliance 2016 Year in Review - January 9, 2017