Under HITECH, organizations and/or individuals that meet the definition of a BA must comply with HIPAA, even without a business associate agreement (BAA). HITECH also requires organizations and/or individuals who meet the definion of a BA to comply with certain provisions of HIPAA, which include breach notification and restrictions on the sale of health information, and subjecting them to the same criminal and civil penalties that CEs face when a law is violated. As for before HITECH, HIPAA only required that BAs were bound by the law by virtue of their association with one or more CEs (Brodnik 220). Under HITECH, covered entities and BAs are not allowed to sell patient information without the authorization of the patient, even though there are some exceptions. For example, the authorization of a patient for release of their protected health information (PHI) is not required for public health and research data, a BA pursuant to a BAA, and an individual who is receiving a copy of his or her own
Under HITECH, organizations and/or individuals that meet the definition of a BA must comply with HIPAA, even without a business associate agreement (BAA). HITECH also requires organizations and/or individuals who meet the definion of a BA to comply with certain provisions of HIPAA, which include breach notification and restrictions on the sale of health information, and subjecting them to the same criminal and civil penalties that CEs face when a law is violated. As for before HITECH, HIPAA only required that BAs were bound by the law by virtue of their association with one or more CEs (Brodnik 220). Under HITECH, covered entities and BAs are not allowed to sell patient information without the authorization of the patient, even though there are some exceptions. For example, the authorization of a patient for release of their protected health information (PHI) is not required for public health and research data, a BA pursuant to a BAA, and an individual who is receiving a copy of his or her own