The start of the new year brings closer the quickly approaching deadline for enhanced privacy and security protections resulting from the passage of the Health Information Technology for Economic and Clinical Health Act (HITECH Act) in February 2009. As a result of HITECH, business associates who have access to protected health information (PHI) in the course of the services they provide to entities covered directly by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) will, for the first time, as of February 17, 2010, be directly subject to many of the requirements of HIPAA.
Under HIPAA, a covered entity may disclose PHI to a business associate without a patient's authorization if the business associate provides the covered entity with satisfactory assurances that it will appropriately safeguard the information. These assurances must be documented in a written contract often referred to as a business associate agreement (BAA) that meets certain regulatory requirements. Prior to HITECH, although a covered entity was required to impose certain requirements on its business associates via contract, business associates were not regulated directly by the Department of Health and Human Services (HHS) or its Office of Civil Rights (OCR).
HITECH changed this. HITECH makes most of the HIPAA Security Rule requirements directly applicable to business associates, including direct regulation by the OCR and enhanced penalties for HIPAA violations. Among other things, by February 17, 2010, HITECH will require a business associate to:
- implement reasonable and appropriate written policies and procedures;
- develop a system for identifying breaches and notifying covered entities following discovery of a breach of unsecured PHI;
- mitigate any harms from the inappropriate use or disclosure of PHI;
- train its workforce;
- develop a sanctions policy;
- establish safeguards; and
- develop and implement a complaint system.
HITECH makes business associates liable for civil and criminal sanctions for violating HIPAA in the same manner as covered entities. Following HITECH, these penalties are enhanced for covered entities and business associates alike.
Business associates also now have the same duty as covered entities under HIPAA to take reasonable steps to cure any known business associate agreement breaches, and if such steps prove unsuccessful, to terminate the agreement (and if termination is not feasible, report the problem to the Secretary of HHS). This new requirement may actually obligate a business associate to report certain patterns and practices of the covered entity with whom it contracts to the Secretary of HHS.
Are you a HIPAA covered entity? Are you confident that you are currently complying with HIPAA and the recent state law and federal changes to privacy and security protections implemented by HIPAA? Are you confident that your business associates have done what they need to do by February 17, 2010 in order to comply with HITECH and to ensure that they are not breaching unsecured PHI in such a manner that will require you to report such breaches to the patients, the Secretary of HHS or the media?
Alternatively, are you a business associate? Have you done everything you need to do in advance of February 17, 2010 in order to ensure your compliance with HIPAA, HITECH and applicable state law? Can you survive an audit by either the covered entities with whom you contract or the OCR, validating your HIPAA compliance? Can you afford to tell your covered entity contractors that there has been a HIPAA breach on your watch?
Please contact Hope Levy-Biehl in our Los Angeles office at (310) 551-8140 or hlevybiehl@health-law.com or Stephen Phillips in our San Francisco office at (415) 875-8505 or sphillips@health-law.com if you are seek guidance or counsel on how to ensure your organization or the organizations with which you contract are ready for the February 17, 2010 deadline, or if you would like to discuss these matters further.
