By Gabriela Sanchez
Published in the Daily Journal of Commerce, July 2009
If you do business with health care providers, insurance companies, long term care facilities, and you receive protected health care information you may be a "business associate" under the Health Care Information Portability Accountability Act or HIPAA. As a business associate, you now have to comply directly with the privacy and security rules under HIPAA to protect a patient's health care information.
Protected health care information or PHI is information, including demographic data, that relates to a patient's past, present, or future physical or mental health or condition, including payment for health care that identifies the patient or has information from which one can identify a particular patient.
In February 2009, President Obama signed The American Recovery and Reinvestment Act ("ARRA") into law. Most of ARRA's provision will become effective on February 17, 2010, including the requirement that business associates have to comply directly with HIPAA. However, some of those provisions, like new penalty provisions, are effective now as discussed below.
Prior to ARRA, business associates were not subject to HIPAA. Rather, only covered entities were required to comply directly with HIPAA. Business associates only had to enter into a contract with a covered entity to protect a patient's privacy. Now, in addition to entering into a business associate agreement with a health care provider, a business associate must comply directly with HIPAA‘s privacy and security rules. In order to do that, business associates must take reasonable and appropriate measures to protect a patient's PHI.
To comply with HIPAA a business associate should consider appointing a privacy officer who will be responsible for implementing and complying with the company's privacy policies and procedures; establish new privacy and security policies to protect PHI from inadvertent or improper disclosures; review existing privacy policies; add or strengthen current physical and technical safeguards of PHI; review or implement record retention policies for HIPAA compliance; and train employees about HIPAA compliance.
One additional requirement under ARRA that will impact business associates is the new breach notification provision. If a business associate inadvertently discloses "unsecured" information about a patient whether such breach was harmful or not, the business associate must report such breaches to the covered entity so that it can properly notify the harmed party within a specified period of time. Unsecured information means information not protected by technology or methods designated by the federal government that make that information unreadable, undecipherable, or unusable.
What happens if you fail to comply with HIPAA? Prior to ARRA, a business associate only faced contractual liability for failing to comply with a business associate agreement. Now under ARRA, a covered entity or a business associate who fails to comply with HIPAA is subject to a series of tiered penalties ranging from $25,000 to $1.5 million. That particular penalty provision is now in effect. Thus, if you are not complying with HIPAA and are caught, you could face those penalties now. Another important change under ARRA is that U.S. Department of Human Services is now required to conduct audits of covered entities and business associates to ensure compliance with HIPAA. In addition, ARRA grants state attorneys generals the right to police compliance with HIPAA and to bring actions against non-compliant companies. Furthermore, individuals who violate HIPAA may also be prosecuted directly for violations.
Through ARRA, the federal government is sending a clear message: protection of a patient's health care and other personal information is of key importance. If you think you might be a business associate, consult with your attorney about establishing the proper safeguards to avoid disclosures of protected health care information and to update your business associate agreement to include the new provisions required under HIPAA.
Related Practice Areas