New HIPAA Provisions Place Requirements on Business Associates of Covered Entities
As you likely know, the American Recovery and Reinvestment Act of 2009 significantly changed provisions in the HIPAA Privacy and Security Regulations, broadening their applicability and creating new provisions that place new requirements on those covered by the rules, such as physicians. These laws had not undergone revision since they were enacted years ago.
For years, physicians have had to ensure that appropriate agreements were in place with their business associates, which includes anyone who provides legal, accounting, consulting, financial, quality assurance, or billing services, among others. These agreements have a great amount of standard language and require the business associate to secure the physician's protected health information and use and disclose it only as appropriate.
Prior to the stimulus package, the HIPAA rules did not directly apply to business associates, as they were only subject to the contract provisions mentioned above. Regulatory authorities could not enforce the provisions against or sanction a business associate. The stimulus package changed this by:
- Extending many provisions of the HIPAA rules to business associates
- Expanding civil and criminal penalties for violation of the applicable rules to business associates
- Requiring periodic compliance audits of business associates by the United States Department of Health and Human Services.
The stimulus package also created the first comprehensive security breach notification requirements for the unauthorized acquisition, access, use, or disclosure of protected health information, where the breach compromises security or privacy. These new rules require notification to patients and the HHS Secretary in the event of a breach. Depending on the number of individuals impacted, other notifications may be required.
In addition, penalties will be increased up to a maximum of $1.5 million depending on certain factors. Some groups have criticized those that enforce the rules for the limited number of enforcement actions taken. The new law gives state attorneys general the authority to bring suit in federal district court against any person violating the rules on behalf of state residents to stop further violation or to obtain damages on behalf of such residents. The court will be allowed to award attorneys fees to the state in such actions.
Physicians should now take certain steps with respect to the compliance of its business associates, including:
- Business Associate Agreements should be amended to ensure that the business associate is specifically required to comply with relevant provisions.
- Business Associate Agreements should now contain language which requires the business associate to inform the physician within a certain period of time (the shorter the better for the physician) of a breach.
Among other provisions that physicians may want to consider with their attorney for inclusion are:
- Requiring business associates to maintain sanctions against agents and subcontractors that violate the terms of the Business Associate Agreement.
- Allowing the physician to inspect and request information of the business associate to ensure compliance.
- Stating that the business associate has no ownership rights over the protected health information.
- Allowing the physician to terminate the agreement if the business associate is named as a defendant in a criminal proceeding for a violation of the rules or a finding or stipulation that business associate has violated the rules has been entered in an administrative or civil proceeding.
- Provisions allowing for injunctive relief (the prevention of further breaches).
- Indemnification provisions.
- Provisions requiring business associate to make it and those associated with it available to physician as needed in the event of litigation or administrative proceedings being commenced related to the rules.
- Language stating that the agreement is not meant to allow a non-party to the agreement the opportunity to sue the parties.
It is important to note that physicians are not required to monitor or oversee the ways that their business associates carry out privacy safeguards or the extent to which the business associate abides by the Business Associate Agreement.
- Patient Harm Data to Remain on Medicare's Hospital Compare Site
- Quiet ORs Better for Patient Safety
- Tavenner Confirmed as CMS Administrator
- Leapfrog Hospital Safety Scores 'Depressing'
- CMS Seeks to 'Rapidly Reduce' Medicare Spending with $1B in Grants
- Building a Better Healthcare Board
- Hard-Nosed About Physician Teamwork
- Case Study: Advance Care Conversations
- Healthcare Leaders Sound Off on Organized Labor
- Esther Dyson's Population Health Dream