Your email inboxes have likely been flooded with updates regarding the U.S. Department of Health and Human Services' final rule to strengthen the privacy and security protections of health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The Final Rule, among other things, enhances a patient's privacy protections, provides individuals new rights to access their health information, and strengthens the government's ability to enforce the law. The final rule was released on January 17 and becomes effective March 26, but an organization covered by the act, i.e., a "covered entity" (CE) or "business associate" (BA) will have 180 days beyond the effective date (or September 22, 2013) to come into compliance.
Although many aspects of the breach notification rule originally mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH) remain the same (including the timing of notification to the Department of Health and Human Services (HHS) and the content of the notification), there are significant changes that healthcare organizations and those that do business with them need to consider.
HIPAA refers to vendors who have access to protected health information (PHI) and electronic protected health information (ePHI) as business associates. There are many examples of BAs: lawyers, consultants, medical transcriptionists, benefits managers, etc. The definition of a BA has not changed, but their liability has. BAs are now directly liable for compliance breaches for:
1. Impermissible uses and disclosures.
2. Failure to provide breach notification to the covered entity.
3. Failure to provide access to a copy of electronic protected health information to either covered entity, the individual, or the individual's designee.
4. Failure to disclose PHI where required by the Secretary of HHS to investigate or determine the business associate's compliance with the HIPAA Rules.
5. Failure to provide an accounting of disclosures.
6. Failure to comply with the requirements of the Security Rule.