ABRET HIPAA Policy

• Sample Business Associate Agreement
• Addendum

When the United States Congress passed the Health Insurance Portability and Accountability Act (“HIPAA”) (codified at 45 CFR parts 160 and 164) Congress anticipated and provided that Personal Health Information (“PHI”) would be used in reviewing the competence or qualifications of health care professionals for the purpose of certification and accreditation. 45 CFR part 164.501.

It is ABRET’s policy to fully comply with HIPAA. ABRET’s mission is to encourage and promote quality technical and clinical standards world-wide for neurodiagnostic technologists and laboratories through certification and accreditation. By adopting this HIPAA Policy ABRET is endeavoring to not only meet its legal responsibility, but also its moral responsibility to patients, society, and other health care professionals.

To best evaluate adherence to ABRET’s standards for certification and accreditation, ABRET requires laboratories disclose certain patient records for review and analysis as part of the laboratory accreditation process. Consequently, ABRET requires that labs remove as much individually identifiable information as possible from the records and information used for accreditation. However, ABRET recognizes that in some circumstances it is impossible to remove all PHI. To permissibly review PHI, HIPAA requires that a Business Associate Agreement is executed. Toward such end, ABRET will enter a Business Associate Agreement (or a Business Associate Agreement Addendum in cases where a hospital or institution uses its own Business Associate Agreement.)

The Executive Director will serve as ABRET’s HIPAA Compliance Officer. ABRET’s HIPAA compliance officer will be responsible for the development and implementation of policies and procedures relating to privacy of PHI. ABRET’s HIPAA compliance officer will conduct board training that is necessary and appropriate to permit board members and ABRET examiners to carry out their functions.

ABRET requires its reviewers to sign a written Confidentiality Agreement in which they agree not to copy patient records or information in any manner while such information is in their possession. Further, ABRET reviewers agree not to disclose patient information. Patient records and information are used only for the purpose of evaluation during the accreditation period. (This period is nine weeks for lab accreditation.) After review, ABRET shall promptly destroy or return data submitted for the review process.