Capella University Business Associate Contracts Report
OVERVIEW
The business of healthcare has become very complex, so much so that most healthcare providers engage third parties for information technology and other services. Covered entities bear responsibility for assuring the HIPAA compliance of these third parties. This assignment focuses on how model business associate contracts (from Federal Government and other sources) may be used to manage risk while engaging third-party business associates. Through careful crafting of business associate contract language you can assure that HIPAA requirements are met. Doing so provides a measure of protection against the chance that a covered entity’s business partners allow a breach of healthcare information privacy.
ORDER NOW FOR COMPREHENSIVE, PLAGIARISM-FREE PAPERS
INSTRUCTIONS
Preparation: Review the case titled “HHS Settles With Health Plan in Photocopier Breach Case.” The case provides an example of a situation where a business associate agreement with a third party could have helped a covered entity avoid a HIPAA violation.
Write responses to the following scenarios about potential business associates. Review the facts of the scenario, and determine if a business associate agreement is required for that third party. If a business associate agreement is not required, explain your reasoning. If a business associate agreement is required, explain why. Be specific about what is required in the business associate agreement.
Third-Party Business Associate Scenarios
- Driscoll Children’s Hospital (DCH) is the largest nonprofit healthcare for children in South Texas. It serves 20 counties from south of Interstate 10 down to the Rio Grande River Valley on the border with Mexico. Patients are always cared for regardless of their ability to pay. No child is refused service by Driscoll. Recently the administration of DCH decided to outsource its facility cleaning function to a third-party provider: Omega Janitorial Service. The contract calls for Omega to clean the secured IT facility where patient protected health information (PHI) is stored and accessed. Given this situation does Omega need to be placed under a HIPAA Business Associate Agreement due to its proximity to PHI? If so, what safeguard considerations need to be specified in the Business Associate Agreement (BAA). If not, why not? Explain your reasoning in either case.
- DCH recently expanded their healthcare technology to include the latest in Positron emission tomography (PET) scanning. They hope to treat rare and difficult cases involving brain tissue. Giving their remote location in Corpus Christi, they are having a difficult time recruiting sufficient technicians and physicians trained in PET technology. To overcome this issue, they have decided to contract with the University of Texas Health Science Center in Dallas, where PET technology is widely used and taught in their medical school, Southwestern Medical University. Through encrypted virtual private network (VPN) they will allow technicians and doctors to directly access the PHI via optic fiber linkup. Will this arrangement require a BAA? Is so, explain the safeguards that need to be highlighted in the BAA. If not, explain why not.
- DCH has decided to join the Texas Statewide Health Information Exchange (link in the Resources). This state run service allows healthcare organizations to share PHI among its members to allow customers (patients) to receive care statewide without the need to continuously provide their medical information. From what you can read on the Web site, will this arrangement require a BAA? If so, explain why and what safeguards should be enabled. If not, explain your rationale.
References:
https://www.medpro.com/hipaa-third-parties
-
attachment_1attachment_1