More and More Companies need HIPAA Compliance due to Changing Regulations
In February, 2010, the HITECH changes to HIPAA went into effect. These required that the Business Associates of HIPAA covered entities also be HIPAA Compliant with respect to the Protected Health Information (PHI) they manage and transmit. This was a big change with big ramifications … but more changes are coming.
On July 14th, 2010, the US Department of Health and Human Services (HHS) published a series of proposed changes to HIPAA in a notice in the Federal Register. All comments on these proposed changes are due by September 13th, 2010, and the final rules will likely go into effect shortly thereafter.
With respect to electronic communications, there are several significant changes that will be happening.
HIPAA Compliance will be Required of Business Associates AND their Subcontractors.
While the HIPAA HITECH rules indicated that the Business Associates of HIPAA Covered Entities would need to also abide by HIPAA, the rule changes extend this requirement to all subcontractors and associates of these Business Associates (and their subcontractors and associates and so on down the line).
In this way, the PHI of a Covered Entity will be protected by HIPAA compliance no matter what business entity it is handed off to. In the end, it doesn’t matter if the Covered Entity has no direct knowledge of or association with the organizations who have access to their PHI. The chain of association requires HIPAA compliance all along the way.
- It is the Covered Entity’s responsibility to use vendors that are HIPAA Compliant with respect to their PHI and to enter into compliant Business Associate Agreements with them.
- It is each Business Associate’s responsibility to ensure that all of its subcontractors and associates who may touch PHI are also HIPAA compliant with respect to that and that there are Business Associate Agreements (or other suitable arrangements) with them.
- These subcontractors and associates must similarly ensure that their subcontractors and associates are HIPAA complain if they will be passing the PHI along to them, etc.
As a result of this, many organizations who previously did not have any need for HIPAA compliance may need to become compliant in areas where they may deal with PHI.
Timeline for Compliance
Once the final rule goes into effect:
- Business Associates, Covered Entitles, and their Associates will have 180 days to come into full compliance with its provisions.
- Existing Contracts: For organizations with existing compliant Business Associate Agreements, they will have one year to update these agreements to bring them into compliance with the new rules.
Liability
The subcontractors who fail to abide by these rules would face the same civil and criminal penalties that Covered Entities do, under HIPAA.
What To do?
Covered Entities should ensure that they have HITECH-compliant Business Associate Agreements in place with all vendors which may interact with their PHI.
Organizations who service the Health Care industry in any way should review and discover what aspects of their business may involve the PHI of HIPAA-Covered Entities (even if those Entities are not direct customers) and take steps to (a) ensure that that PHI is handled in a HIPAA compliant way, and (b) ensure that their associates have appropriate agreements in place with respect to this private information.
Electronic communications though email, web site, web f orms, and PDF forms are common avenues through which PHI may be transmitted. Outsourcing these services to an organization, such as LuxSci, which provides HIPAA-compliance may be an easy and very cost effective way to address your compliance needs.
Similar Posts:
- HIPAA 2010: HITECH Impact on Email and Web Outsourcing
- HIPAA Faxing: How To Send and Receive FAXes in a Secure and Compliant Way
- HIPAA HITECH Business Associate Agreement and LuxSci Account Requirements
- HIPAA Compliance Checklist: What You Need To Do
- Is Blackberry HIPAA Compliant? What You Need To Know
Email updates:
August 2nd, 2010 at 12:21 pm
Business associates need to be aware that HHS expects them to be compliant with the terms of any business associate agreements they have signed, now! Here is the pertinent section from the NPRM:
9. Business Associates and Covered Entities and Their Contractual Relationships.
The proposed rule would extend liability for failure to comply with the Privacy and Security Rules directly to business associates and business associate subcontractors in a manner similar to how they now apply to covered entities. The proposed rule would subject business associates to many of the same standards and implementation specifications, and to the same penalties, that apply to covered entities under the Security Rule and to some of the same standards and implementation specifications, and to the same penalties, that apply to covered entities under the Privacy Rule. Additionally, business associates would also be required to obtain satisfactory assurances in the form of a business associate agreement from subcontractors of any protected health information in their possession. If the business associate learns of a pattern of activity or practice of a subcontractor that constitutes a material breach or violation of the contract, the business associate would be required to make reasonable attempts to repair the breach or correct the violation. If unsuccessful, the business associate would be required to terminate the contract, if feasible. In addition, a business associate would be required to furnish any information the Secretary requires to investigate whether the business associate is in compliance with the regulations.
In the absence of reliable data to the contrary, we assume that business associates’ compliance with their contracts range from the minimal compliance to avoid contract termination to being fully compliant. The burden of the proposed rules on business associates depends on the terms of the contract between the covered entity and business associate, and the degree to which a business associate established privacy policies and adopted security measures that comport with the HIPAA Rules. For business associates that have already taken HIPAA-compliant measures to protect the privacy and security of the protected health information in their possession, the proposed rules with their increased penalties would impose limited burden.
We assume that business associates in compliance with their contracts would have already designated personnel to be responsible for formulating the organization’s privacy and security policies, performed a risk analysis, and invested in hardware and software to prevent and monitor for internal and external breaches of protected health information.
We expect that most business associates make a good-faith effort to follow the terms of their contracts and comply with current security and privacy standards.
For those business associates that have not already adopted HIPAA-compliant privacy and security standards for protected health information, the risk of criminal and/or civil monetary penalties may spur them to increase their efforts to comply with the privacy and security standards. Up to this point, the consequences of failing to meet the privacy and security standards were limited to a business loss in the form of a terminated contract. In the context of the business associate’s overall business, the risk of losing the contract may not be a sufficient incentive to warrant investing in added security or establishing privacy policies potentially at significant expense. There may be other more benign reasons such as ignorance of potential threats or lack of knowledgeable personnel on staff. Regardless of the reason, to avoid the risk of the far more serious penalties in this proposed rule, we expect that business associates and subcontractors that have been lax in their complying with the privacy and security standards may now take steps to enhance their security procedures and strengthen their policies for protecting the privacy of the protected health information under their control.