If you are a health care provider and/or someone who routinely performs work involving patient health information on behalf of a health care provider, you likely need to know about the HIPAA/HITECH Final Rule.

Since the passage of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the Department of Health and Human Services (HHS) has been working on amendments to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to significantly expand those entities who are subject to rules governing access to and disclosure of protected patient health information (PHI).  One of the most notable expansions of HIPAA, under HITECH, is the expanded applicability of certain provisions of HIPAA directly to business associates and subcontractors who have access to PHI as part of the activities they perform on behalf of health care providers and other covered entities.    

HHS has recently published the Final Rule modifying HIPAA to implement the requirements of HITECH.  The new requirements became effective March 26, 2013, but covered entities (think health care providers), their business associates, and subcontractors have until September 23, 2013 to comply.  Thanks to HITECH, significant monetary penalties apply to non-compliant entities who are subject to HIPAA, so you’ll want to pay attention to the new requirements and get started right away to ensure that you’re in compliance by the September 23 deadline.  

How do I know if HIPAA applies to me? 

HIPAA applies to covered entities.  HIPAA applies to health care providers, health plans, and health care clearinghouses, also known as “covered entities”.  Most health care providers have long been aware that HIPAA privacy and security requirements apply to them. 

HIPAA applies to business associates.  But what about entities that perform activities on behalf of a health care provider which require the entity to have use and/or disclose protected health information?  As of the passage of HITECH, HIPAA now applies directly to “business associates” and their subcontractors.  (It’s not just a contract issue anymore; HHS can directly enforce HIPAA against a business associate!!).

HIPAA applies to subcontractors.  Many business associates were already aware that HIPAA applied to them.  However, the Final Rule also makes clear that subcontractors of business associates are also subject to the same HIPAA provisions which apply to business associates.  This means that if you are a business associate you need to ensure that your subcontractors are appropriately complying with privacy and security provisions which apply to you under HIPAA. 

Who is a “business associate”?

A business associate is generally defined as a person or entity (not an employee) that performs functions or activities on behalf of, or certain services for, a health care provider that involve the use or disclosure of protected health information.  Business associates include entities that provide legal, actuarial, accounting, data processing, claims processing, benefit analysis, quality assurance, and other activities on behalf of health care providers which necessarily involve the use and disclosure of patient information. 

The HHS website has a link to the topic of “business associates” which may provide some guidance, although some parts of it have not been updated recently.  For example, the website notes that a software company that hosts the software of a health care provider which contains patient information on the software company’s own server or accesses patient information when troubleshooting the software function is a business associate of the healthcare provider. 

Check out the link at http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/index.html.  

What happens if I am found to be non-compliant? 

HITECH established four tiers of violations with corresponding penalties based on the level of culpability attributed to the entity that violated HIPAA privacy and/or security requirements.  Penalties range from $100 per violation to $50,000.00 per violation.

The above article is a condensed version of a longer Sands Anderson PC  article by the same name by Ruth T. Griggs.  If you would like the full article, please click the following link:  Read more here.