Intelligence Unit Special Reports Special Events Subscribe Sponsored Departments Follow Us

Twitter Facebook LinkedIn RSS

BAs, covered entities should comply with HITECH now

Business associates (BA) and covered entities want to know what they must do to comply with the new HIPAA laws in the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Actually, they must know. The compliance deadline is February 18, 2010, but many questions linger.

During an HCPro July 29 audio conference, “Business Associates and Covered Entities: Adapt Contracts to Comply With New HIPAA Law,” attendees asked several questions, including:

  • Which is the BA when a medical device company sales representative is in the OR—the sales rep or the company?
  • Can a covered entity, such as a Medicare-certified hospice program, also be considered a BA if it works on behalf of another covered entity?
  • Will there be some guidance regarding whether updating the existing BAs is going to be required?

The questions probably won’t stop any time soon. However, case-by-case scenarios aside, there is an overlying message to all parties affected by the new HIPAA laws.

“The first thing both the covered entities and the business associates should do is try to understand the new requirements and analyze the gaps between their existing policies, procedures and practices, and what they should be doing—both under HITECH and anything they’ve missed or avoided under HIPAA,” John R. Christiansen, lawyer at Christiansen IT Law in Seattle and chair of the newly formed HITECH Business Associates Task Force of the American Bar Association’s Health Law Section and the HITRUST Business Associates Working Group of the Health Information Trust Alliance said during the audio conference.

Chris Apgar, president of Portland, OR–based Apgar & Associates, LLC, also presented tips for compliance during the program.

The next step is to map out your expectations regarding contract revisions, as a last-minute approach will overwhelm each party.

“This could make for an unhappy holiday season and cancelled ski trips for folks in organizations which don’t start this process in the very near future,” Christiansen said.

After hearing the responses during and after the audio conference, Christiansen said some covered entities and BAs need to accept some basic denials, including:

  • HITECH covers more than EHRs. The HITECH requirements do not just apply to EHRs or organizations using EHRs. “HITECH is intended in substantial part to promote implementation of EHRs,” said Christiansen. However, its requirements—particularly BAs complying with the HIPAA security rule and contract revision between covered entities and BAs—apply without regard to EHRs.
  • Congress won’t grant extensions. The compliance date on the HIPAA security rule and contract revisions is February 18, 2010, and is “written in the legislation, which means only Congress has the authority to change it. I think given everything else on Congress’ docket these days, relief on this point, which would be opposed by the privacy community and not understood by most other people, will not happen,” Christiansen said.
  • HHS will look for violations. Congress wants enforcement of HIPAA; it wrote into the new laws enhanced civil penalties, expanded regulatory authority, and auditing requirements. “You can’t just assume noncompliance won’t matter because nobody’s looking,” Christiansen said. “Congress wants [HHS] to look, and there are increased financial incentives for federal and state regulatory authorities to pursue penalties.”