Home Computer Science
Health Insurance Portability and Accountability Act (HIPAA) Compliance
□ Health Information Technology for Economic and Clinical Health (HITECH) Act
□ Civil and criminal penalties
□ Expanded definition of business associates (BAs)
Who Are BAs?
□ Working on or behalf of covered entities (CEs)
□ Providing protected health information (PHI) data to CEs
□ Vendors contracting with CEs
Fail to Comply with HI PA A
□ CMPs: $100—$10,000/violation
□ Criminal penalties
□ Mandatory Health and Human Services (HHS) investigation and assessment
□ Civil actions by state attorney generals (AGs)
Security Breach Notification
□ Must notify CEs of unsecured PHI breaches
□ CEs must notify individuals
□ CE may need to notify HHS and local media
□ BAs bear burden to prove reasonable delay in notification
□ Security breaches of unsecured PHI include unauthorized acquisition, access, use, or disclosure of PHI
□ Unsecured PHI is not encrypted or destroyed
□ CEs must notify patients within sixty days after discovery of breach
□ Date of discovery or date breach should have been discovered
□ Information BAs provide to CEs following breach
□ Contractual obligations of BAs to notify on behalf of CEs
□ Compliance with state laws
□ BAs’ internal policy for notification
□ Contractual binding of subcontractors
HIPAA Security Rule
□ Administrative, physical, and technical safeguards
□ Specific standards of implementation
□ Gap analysis for shortfalls
□ HHS recommends technical safeguards
□ Subcontractor agreements
□ Information security due diligence questionnaire
□ Amending noncompliant BAAs
□ Renegotiate with CEs
□ BAAs increase in complexity
□ Indemnifying CEs
□ Required notification of breach on behalf of CEs
□ Responsibility for costs of breach
□ Draft form amendments to BAAs
□ Minimize negotiation terms not required by law
□ Reflect obligations of BAs, but protect from liability for subcontractor breaches
Additional HIPAA Requirements
□ Comply with minimum necessary standards
□ Use of a limited data set?
□ Ongoing assessment of what is minimum necessary
□ CEs must account to individuals of disclosures from electronic health records (EHRs)
□ Monitor developing HHS advice
□ No direct or indirect remunerations to BAs for EHR or PHI
□ Making recommendations for products or services
Steps for Breach Notification Compliance
□ Analyze existing policies and procedures
□ State breach notification requirements?
□ Designate person to ensure breach investigation and determine if breach occurred
□ Outside legal counsel
□ No unreasonable delay in reporting
□ Impacted individuals identified
□ Impacted individuals reported to CE
□ Employees trained on reporting breaches and handling PHI
□ Sanctions for employees
□ Can BA-controlled PHI be secured?
□ Amend existing reporting policies
□ Seek outside legal review of amendments
□ Risk prevention and mitigation strategies
□ Decrease risk of breach?
□ Insurance covers costs from breach?
Steps for Security Rule Compliance
□ Perform gap analysis
□ Make written policies and procedures for each standard above
□ Seek legal review of policies
□ Train employees on requirements
Amendment of BAAs
□ Draft template amendments
□ CE may conduct due diligence of BA
□ Negotiate broad indemnification or cost-allocation provisions
□ Terms in existing service agreements conflict with BAA?
□ Amend subcontractor agreements
Inventory HI PA A-Related Policies
□ Current policies facilitate compliance?
□ Accounting for disclosures made from an EHR?
□ Minimum necessary disclosures/limited data set?
□ Prohibition on sale of EHRs or PHI?
□ Conditions on marketing communications?
□ Training procedures for personnel?
□ Review sanctions for employee violations
Key Issues and Guiding Principles
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, marked a fundamental change in the federal government’s approach to ensuring compliance with Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules. Under the HITECH Act, the federal government, in an effort to strengthen HIPAA, enacted a rigorous enforcement strategy that includes strict privacy and security standards, increased penalties for violations, and expanded federal and state enforcement authority, all of which are directly applicable to Business Associates (BAs).
BAs’ obligations and exposure under HIPAA are both contractual (BAAs) and statutory (HIPAA/HITECH). Consequently, in addition to being liable under their business associate agreements (BAAs), BAs will are subject to many of the legal requirements set forth in the HIPAA privacy and security rules, including civil and criminal penalties. Further, the HITECH Act expanded the definition of BAs under HIPAA. Certain vendors of personal health records (PHR) systems and certain data transmission organizations, such as Regional Health Information Organizations, are considered BAs and are subject to HIPAA.
Ulis chapter highlights key provisions in the HITECH Act that apply to BAs and provides a high-level outline of some important steps to aid a BA to achieve HIPAA compliance. This document is intended to provide general, high-level guidance only and is not intended to provide or be a substitute for legal advice. BAs should consult legal counsel to understand their obligations under HIPAA and the HITECH Act.