Foster Swift Business & Corporate Law Report
When people hear the term “HIPAA,” they usually only think of physicians and hospitals being restricted from sharing their health information with others. However, with the passage of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) in 2010 and the publication of final rules related to the HITECH Act in January of 2013, parts of HIPAA now apply to organizations besides “Covered Entities” (e.g., health care entities). Specifically, those companies that are “Business Associates” of “Covered Entities” are now subject to certain HIPAA restrictions.
The final rules of the HITECH Act became effective on March 26, 2013 but, Business Associates and Covered Entities have until September 23, 2013 to become compliant. Civil penalties for violating HIPAA can result in up to $1.5 million in fines per year for each violation. Non-compliance can be an expensive mistake.
Accordingly, prior to September 23, 2013 businesses have the important task of:
- determining if they need to become HIPAA compliant (which is not always as simple as it sounds) and, if necessary,
- becoming compliant with certain HIPAA requirements.
The HIPAA requirements are often complicated and time consuming. So, businesses should act now to ensure compliance by the September 23, 2013 deadline.
Are you a Business Associate?
An important first step is determining whether your company is a Business Associate. A Business Associates is broadly defined as “a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.” Business Associates include people and entities such as: a CPA firm whose accounting services to a health care provider involve access to protected health information; an independent medical transcriptionist that provides transcription services to a physician; or a consultant that performs utilization reviews for a health plan. The final HITECH rules also expand the definition of Business Associates to include subcontractors who receive protected health information on behalf of another Business Associate. Therefore, your company may be a Business Associate even if you are not directly working with a health care entity.
It is important that you examine if your business is receiving any personal health information from any source. If you do receive any health information, you should consult your attorney to assist in determining if you are a Business Associate that must comply with the HIPAA rules.
How do I get HIPAA Compliant if I am a Business Associate?
Getting HIPAA compliant is no easy task. HITECH places all of the Security Rule burdens of HIPAA on Business Associates and some of the Privacy Rule burdens as well. The Security Rule requirements are expansive and complex. The Security Rule obligations consist of risk analysis and management along with administrative, physical and technical safeguards. For example, in order to comply with the Security Rule, a Business Associate must implement policies and procedures for authorizing access to protected health information and provide training to its workforce on such procedures. In addition, Business Associates may need to implement encryption software in order to properly safeguard information under HIPAA.
Once it is determined that your company is a Business Associate, you should contact your attorney to help begin the process of compliance with HIPAA. Not complying with any of these requirements is a violation of HIPAA and can subject your company to the civil penalties discussed above.
Additionally, Business Associates are required to enter into Business Associate Agreements. If your company was already complying with the Security Rules as a Business Associate when the HITECH Act was implemented, the final rules changed some of the Business Associate Agreement requirements. Your company will need to ensure that any Business Associate Agreement it has in place is compliant. Therefore, if you are a Business Associate and do not have a Business Associate Agreement in place, it is imperative you get one in place; if you have a Business Associate Agreement in place, it is likewise imperative that you update it to comply with the final rules. Beyond having a compliant agreement in place, it is important that each Business Associate Agreement that you enter into protects your company from any extra liability.
To determine what steps you need to take to become HIPAA compliant as a Business Associate, please contact Nicole Stratton at (517) 371-8140.