According to Health Data Management, CMS details new requirements regarding Business Associates.

The contract between a covered entity and a business associate “must require a business associate to report to the covered entity any security incident of which it becomes aware,” according to the guidance. In the contract, the covered entity and business associate “must document the specifics of the reporting requirements, including the frequency, level of detail, format and other relevant considerations.”

The CMS HIPAA web site, first reported here on March 30, also provides new guidance on the security incidents procedures standard, assigning the same user ID to multiple employees, examples of threats to address in risk analyses, and plan sponsors reporting security incidents to a group health plan.