Recently enacted legislation has resulted in extensive expansions to the privacy, security, breach notification and enforcement rules of the Health Information Technology for Economic and Clinical Health (HITECH) Act under the Health Insurance Portability and Accountability (HIPPA) Act. The new laws were adopted on March 26, 2013 and compliance with most of the law is required by September 23rd, 2013.
The law makes significantly favorable changes to protect patients and their rights to privacy concerning their own personal health information (PHI). The act also offers the patients greater control over distribution, use and disclosure of their PHI. As a result of this balance shift, the law places harsher penalties and compliance regulations on health care providers and their “business associates.” The law, with its stringent compliance demands, gives the government’s ability to enforce this rule some bite. That bite can cost $25,000 for first time offenses, and $1.5M for repeated violations of the same offense. This can result in multiple seven figure penalties if compliance is not met. Furthermore, a covered entity can no longer bar the imposition of a civil money penalty for an unknown violation, unless it corrects the violation within 30 days of discovery.
So what do you need to know? First, The Act has expanded the definition of what qualifies as a “Business Associate” to include any parties that “create, maintain or transmit” personal health information (PHI). This new broad definition includes many subcontractors not previously covered by The Act. These newly covered “business associates” will be held to the same compliance regulations as the company that delegates their work with regard to electronic PHI. What’s more daunting is that this compliance travels from the top, down. Therefore, a subcontractor’s subcontractor is held to many of the same compliance requirements as that of the original business associate.
The changes to the Privacy Rule places greater control concerning PHI in the hands of the patients. The modification requires that, unless otherwise permitted by the patient, the PHI only be used and disclosure for the stated purposes under HIPAA. This modification falls in line with the requirements of the Genetic Nondiscrimination Act “GINA,” which prohibits the use or disclosure of genetic information for underwriting purposes. Furthermore, patients must be notified of these new privacy rights as soon as possible.
The last rule modified concerns the Security Rule. The modification lowers the threshold of harm to impose liability on the business associate or subcontractor who allowed the breach. The new rule also sets forth specific safeguards that business associates and subcontractors must implement in order to be compliant.
To avoid any future issues concerning these changes, businesses providing services that deal with electronic protected health information must ensure they are fully compliant with HIPPA/HITECH and other healthcare privacy related legislation. PK Law attorneys are well versed in healthcare legislation and regulations and can assist you with drafting, amending current contracts and negotiating:
Website Development Agreements
Software As a Service (SaaS) Agreements
Website User Agreements
Joint Venture and Teaming Agreements