After this article first ran, I was contacted by a HIPAA consultant who pointed out that a couple of items about HIPAA compliance seemed to be ambiguous. In the interest of making sure readers have accurate information, here's a quick rundown.
In the section entitled The Privacy Rule, I wrote:
"The disclosure of PHI is limited to the minimum details necessary for treatment or basic business practices."
Specifically, providers are not required to seek permission to release information from patient records for the purposes of Treatment, Payment or Healthcare Operations. This does allow IT service providers a lot of latitude, however, while the original statement might have been ambiguous, it never hurts to err on the side of caution.
Also, in the section entitled The Security Rule, I wrote:
"Under the required Business Associate Contract, IT providers may be required to disclose their policies and submit them to HHS for compliance approval."
There is not a requirement from Health and Human Services that Business Associate Contracts (or "Business Associate Agreement") are submitted for review, just that they may be requested. Also, the HIPAA rules do not require that the agreement contains specific language requirements, merely that they adhere to the intent of HIPAA.