Kusserow’s Corner: Are You Prepared to Meet the HIPAA Business Associate Mandates that Go Into Effect this Month?

The sweeping changes to HIPAA mandates for business associates and subcontractors are fast approaching. On September 23, 2013, parties covered under HIPAA must meet changes to breach assessment and notification, business associate agreements, training, privacy notices, authorization forms, and HIPAA Privacy and Security policies, among others. Thus far thousands of covered entities are still not in compliance with Business associates and subcontractors, exposing them to significant liability. According to the OCR Director, thousands of breaches of protected health information (PHI) occur daily and this can be expected to continue into the foreseeable future.

New regulations were published in January 2013 that greatly expanded federal health care privacy and security laws and extended their application to a new range of companies that service the health care industry. These final rules have modified the HIPAA Privacy, Security and Enforcement rules relating to the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and marks the most sweeping changes to the HIPAA Privacy and Security Rules since first implemented. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of the HHS Office for Civil Rights (OCR) to vigorously enforce the regulations, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.

The final rule under 45 CFR sec. 160.103 clarifies the nature of services provided and the extent to which the person or entity requires access to PHI determines whether or not a person or an entity qualifies as a business associate. The determination does not depend on whether or not the parties have entered into a business associate agreement (which is required). A business associate is defined as a person who “creates, receives, maintains or transmits PHI on behalf of a covered entity,” now includes the following additional entities: (1) patient safety organizations when they receive and analyze reports on patient safety events from providers; (2) health information organizations, e-prescribing gateways, and persons or entities providing data transmission services involving PHI to covered entities that requires routine access to the PHI; and (3) vendors of personal health records when hired by a covered entity to provide records to one or more individuals.

To come into compliance, health care providers, group health plans, and business associates will have to create or amend existing policies by the deadline or place themselves in great exposure to liability and penalties. This applies to all organizations that handle health related information – that is any provider, company, entity, or contractor that may come into contact with PHI. This includes consultants who provide IT or other services on behalf of a provider. Modifications to the HIPAA rules include:

  1. Business associates are now directly liable for compliance with HIPAA Privacy and Security Rules and subject to HHS enforcement.
  2. Rules strengthening limitations on use and disclosure of PHI for marketing and fundraising purposes and prohibiting the sale of PHI without the individual’s authorization.
  3. Expansion of individuals’ rights to receive electronic copies of their PHI and restrict disclosures to a health plan concerning services for which the individual has paid in full.
  4. Modifications to covered entities’ privacy notices.
  5. Increasing fines for noncompliance.
  6. Changing definition of “breach” by replacing the harm threshold with the more objective “low probability of compromise” standard.

For more information on how to comply with the new mandates, a webinar is being made available free of charge on September 24. It is entitled “Are You in Compliance with the New HIPAA Business Associate Requirements? Quick, Cost-Effective Solutions for HIPAA Compliance: Business Associate Agreements.” This short and to the point program focuses on solutions for BAs and Subcontractors will provide guidance on how to quickly and economically come into compliance.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Copyright © 2013 Strategic Management Services, LLC. Published with permission.