According to the great team at Information Law Group, the new proposed HITECH rules, broaden the concept of business associates who are required to comply with HIPAA. They cite as an example, a company hired to shred documents including medical records would be required to comply with the applicable requirements of HIPAA’s Security Rule.
Proposed rules make written policies and procedures critically important
If a covered entity under HIPAA gets investigated and can’t point to written policies and procedures about handling disposal of hardware or requests from individuals to restrict the use and disclosure of his or her protected health information, then this could be viewed as “willful neglect” and subject the entity to a higher category of civil penalties.
Leave a Reply