Too often there are misconceptions about new laws or policies because there has been too little effort to educate or to elaborate on details concerning the changes that the new laws or policies will effect.
That is the case with the new HIPAA laws that have been in effect since September 2013. Evidence of this is the overwhelming number of people who are asking for clarification on many of the details of the new changes and restrictions applicable to their organizations.
The question that serves as the title of this post is an example of the many questions that have been surfacing ever since the initiation of the enforcement of the new policies regarding the new HIPAA laws. To answer that question it is a simple response in the negative. No, a business associate cannot self-certify or be certified by a third party as HIPAA compliant.
The reason behind this is the business associate has a responsibility towards the covered entity while performing their paid duties to be subject to exactly the same restrictions and laws that the entity is. Therefore it is required that the business associate be under contract in order to be HIPAA compliant.
So, what must the contract include in order to be compliant under the new HIPAA law?
The contract must make them accountable for the proper use of protected medical information. It must also restrict the business associate to how it uses said information. Additionally, it must make available any health information to the parties to whom it belongs as well as the covered entity.
Apart from these there are several other details that a covered entity should research and abide by for protection and comply with the new HIPAA laws.