Covered entities and business associates subject to the HIPAA Privacy Rule, including health care providers and revenue cycle vendors, should take note that the amendments to the Rule brought about by the Health Information Technology for Economic and Clinical Health Act, §§13400-13424 of the American Recovery and Reinvestment Act of 2009 (the “HITECH Act”), take effect February 17, 2010.
Previously, business associates’ only liability for mishandling Protected Health Information (PHI) arose under the business associate’s contract with the health care provider, and the only party responsible for ensuring the existence of a proper Business Associate Agreement was the provider itself. Under the amended regulations, a business associate can now be held directly responsible for improper use of PHI and for the failure to maintain proper policies for its protection. §13404(a).
The HITECH Act makes the following provisions, previously directed at covered entities only, applicable to business associates:
- Administrative safeguards (45 C.F.R. § 164.308)
- Physical safeguards (45 C.F.R. § 164.310)
- Technical safeguards (45 C.F.R. § 164.312)
- Policies and documentation (45 C.F.R. § 164.316)
Additionally, while HIPAA previously required action on breaches only by covered entities, the HITECH Act requires business associates to take action on known breaches of their agreements by the covered entities they serve, including curing the breach themselves, terminating the agreement, and/or notifying the department of the covered entity’s breach. §13404(b).
The breach notification requirements affecting covered entities and business associates have also changed. The HITECH Act requires notification by a covered entity to the individual whose PHI has been breached, within a reasonable time, not longer than 60 days. Business associates must notify covered entities of any breach within the same time period. The notice must be sent in writing via first class mail, and in the case where the breach concerns 10 or more individuals and the individuals cannot be located, notice must be posted on the breaching party’s website and through public media. Notice regarding the breach must also be provided to the Secretary, immediately in the case of a breach concerning 500 or more individuals, and via an annual log in the case of a breach of fewer than 500 individuals. §13402.
From a practical standpoint, this means that agencies should implement their own documented policies for protecting PHI and should immediately ensure that a Business Associate Agreement is executed with the covered entities with which they do business. Covered entities should review the policies of each and every business associate. If an agreement already exists (which it should), it may need to be amended. It must limit the exchange and use of PHI to the minimum amount necessary for the business associate to carry out its function. HHS has a website discussing the recommended contract language, here. Our sample contract is found below. Note: the agreement requires customization based upon the use of PHI contemplated by the parties’ business relationship.