Business Associates - Are You Ready for the February 17th HIPAA Deadline?
Entities who handle protected health information (PHI) on behalf of health providers, insurers, health care clearinghouses, and individual and employer health plans are now directly responsible for their own compliance with many of the privacy and security requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). If your company meets this description, this means that you can no longer rely on the terms of your contracts with the covered entities to determine the full extent of your HIPAA obligations and the penalties for non-compliance. Beginning February 17, 2010, the HITECH Act makes it your responsibility to comply with HIPAA’s security mandates and with the terms of your business associate agreements (which generally pass through most of the HIPAA privacy rules), and imposes penalties for noncompliance on you.
Are You A Business Associate? Business associates are those persons or entities who perform any function or activity on behalf of or perform services for a covered entity and have access to one or more persons’ individually identifiable health information (known as “protected health information” or “PHI”). Examples include third-party administrators, actuaries, underwriters, consultants, data processors, printing contractors, mailing houses, claims processors, accreditation programs, transcription and billing services, e-prescribing gateways, and health information exchange organizations in both the private and public sector, and in some cases, insurance brokers, accountants, attorneys, debit card providers, and software vendors. There are no exceptions based on size, so whether your company has one or 100 employees, you could be a business associate.
What Must You Do? Under HIPAA as expanded by the HITECH Act, business associates must implement many of the policies previously required only of covered entities and develop safeguards to comply with the expanded HIPAA requirements. In addition, business associates must be prepared to comply with the new breach notification requirements if there is a breach of unsecured PHI.
We have provided a checklist below for you to use to assess whether you are in compliance:
BUSINESS ASSOCIATE HIPAA CHECKLIST:
- Appoint a security officer (and consider appointing a privacy officer)
- Conduct a HIPAA security risk analysis
- Develop written privacy and security policies
- Implement forms and procedures to respond to individual requests for accounting of disclosures of electronic PHI and to be able to provide copies of electronic PHI
- Implement administrative, physical, and technical safeguards to secure electronic PHI
- Make sure you are in full compliance with your business associate agreements, and update them as needed to comply with the new HITECH Act privacy and security requirements
- Monitor the covered entities for whom you handle PHI for potential violations
- Adopt procedures to address breaches of unsecured PHI
- Train your workforce as to HIPAA’s requirements
- Prepare for periodic compliance audits by DHHS
It is important that you implement these changes soon because, effective February 17, 2010, you will be subject to civil penalties (up to $25,000 per violation even if you don’t know you violated HIPAA, and up to $1.5 million per violation if it’s willful!) and criminal penalties for violations. The risk of enforcement has gone up considerably now that state attorneys general have been granted the authority to bring suit against you for violations, HHS has been directed to conduct periodic audits, and covered entities and business associates may be required to report each others’ breaches. Also note that if you are a provider of personal health records, additional rules may apply to you.
With a team of attorneys who are highly experienced in the Employee Benefits and Health Care fields, MLA can provide answers to questions and assistance in complying with these requirements.
Print PDF