While the Department of Health and Human Services' proposal to ease up on the consent provisions of the Health Insurance Portability and Accountability Act privacy rule is a welcome step, further changes to the business associates rules are needed to avoid adding pointless costs and complexity to the accreditation process. So says the Joint Commission on Accreditation of Healthcare Organizations in its formal comments on HHS' March 27 proposed changes to the HIPAA privacy reg. As the reg stands, JCAHO and the health care organizations it accredits would be faced with "over 18,000 individual agreements that must be negotiated, signed by the parties, retained, and revised as circumstances change." Eliminating the business associate contract requirements for accrediting organizations, or alternatively permitting providers to rely on accreditors' published privacy policies, would realize HHS' objectives without "draining scarce resources away from the delivery of care," JCAHO maintains.
Such a mandate would mean big headaches and lost dollars for everyone involved, JCAHO says without really increasing patients' privacy protection in any substantive way. In the letter, JCAHO's Director, Federal Relations Anthony Tirone points out that, even now, before HIPAA is in effect, "published policies on access, use and disclosure of information are fundamental to the accrediting bodies' relationships with covered entities." The policies inform providers of the accrediting body's privacy practices, and a violation of those policies "can result in termination of the relationship with the accrediting body."
In other words, a business associate agreement merely duplicates at substantial expense a bond between providers and accreditors that already exists.
"Allowing covered entities to rely on the published polices of national accrediting organizations accomplishes the same desired result, i.e., extension of the protections, without imposing on the health care organizations or the accreditors the cost and complexity inherent in the securing" of business associate agreements, Tirone writes. "No greater rights or responsibilities result from the existence of the agreement or are lost without it."