If you think no one will notice if you’re not in compliance – think again.
If you think no one will notice if you’re not in compliance – think again.
The Health Information Technology for Economical and Clinical Health (HITECH) Act was part of American Recovery and Reinvestment Act (ARRA aka the stimulus package) that President Obama signed into office in 2009. This is probably where you stop reading and move on. Don’t!
The HITECH Act expanded the scope and liability of Business Associates for failure to comply with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. I’ll admit, that does sound very dry and it has too many acronyms, but stay with me as we have to cover some important stuff.
Historically, business associates were not directly subject to liability under HIPAA but, instead, they were required to sign a Business Associate Agreement (BAA) to be held liable. Now, however, the HITECH Act statutorily imposes direct liability on business associates for failure to comply with HIPAA with or without an executed BAA. (Yes, more acronyms, why is everything in acronyms?). Business associates could face civil monetary penalties, and in some cases criminal penalties for the failure of their agents, including subcontractors, to comply with the HIPAA regulations.
To complicate matters further the omnibus final rule of the HITECH Act, published on Jan 25, 2013 broadens the definition of business associate effectively bringing many new organizations under the authority of HIPAA.
Okay. Now I have to go legal on you and be very boring, but there is no sexy way to cover the new broad definition of business associate but to lay it out the way the Act defines it. But as you will see below, your business, and everyone related to your business and their mother will now be held accountable!
EXPANDED DEFINITION OF BUSINESS ASSOCIATE
The definition of business associate includes the following categories of organizations:
The final rule expanded the definition of business associate to include all subcontractors of business associates that create, receive, maintain or transmit Protected Health Information (PHI) on behalf of business associates. The reach of this designation will apply to subcontractors irrespective of how far downstream the subcontractor is, contractually, from the covered entity. Each subcontractor, as a business associate under the new definition, will be directly liable for its own compliance with the provisions of the privacy and security rules applicable to business associates.
- Entities Providing Data Transmission Services
The final rule stated that any organization that provides a covered entity with data transmission services involving PHI, and that requires access on a routine basis to such PHI, will be considered a business associate, including but not limited to health information organizations and e-prescribing gateways. There is a narrow exception provided under the final rule for entities that act as “mere conduits for the transportation of PHI” but do not access the PHI other than on a random or infrequent basis, such as Internet service providers (ISPs) and telecommunications companies.
- Document and Data Storage Organizations
The definition of business associate was expanded to include entities that “maintain” PHI. Organizations that maintain PHI, such as document and/or data storage companies, are considered business associates of covered entities, regardless of whether the entity actually accesses the PHI maintained for a covered entity.
- Personal Health Record Vendors
Vendors that provide and manage personal health records on behalf of covered entities are business associates under the final rule; however, those vendors that offer the personal health record directly to the individual and not on behalf of the covered entity will not be considered business associates.
- Financial Institutions Lending to the Health Care Industry
The preamble to the final rule clarified the circumstances under which a banking or financial institution may become a business associate. The mere act of providing payment processing activities for covered entities will not render a financial institution a business associate. However, performing functions above and beyond the mere processing of remittance advice, such as accessing accounts receivable documentation that contains PHI in connection with the provision of working capital financing to a health care provider, may qualify the institution as a business associate. Accordingly, a lender with access to PHI within the covered entity’s accounts receivable will likely be considered a business associate.
NEW REQUIREMENTS AND LIABILITIES FOR BUSINESS ASSOCIATES
Now that we have discovered that everyone with a pulse is held accountable, the next step is to figure out what will get you into trouble. Business associates may face civil monetary penalties, and in some cases criminal penalties, for failure to comply with the following obligations:
- Meeting all requirements of the security rule, including administering administrative, physical and technical safeguards, such as:
- Testing next level
- Conducting risk analyses;
- Designating a security official;
- Implementing required security policies and procedures;
- Implementing technical security measures and facility access controls;
- Conducting security awareness and training programs for all staff, including management; and
- Adopting a contingency plan.
- Adhering to the following privacy rule obligations:
- Limiting uses or disclosures of PHI to only those (i) provided for within their business associate agreement or (ii) permitted or required under HIPAA;
- Limiting permissible disclosures or requests for disclosures of PHI to the minimum necessary;
- Providing an accounting of disclosures;
- Providing access to its covered entity or to the individual who is the subject of the PHI to PHI kept in a designated record set;
- Providing PHI to the U.S. Department of Health and Human Services (HHS) to demonstrate compliance during investigations; and
- Entering into business associate agreements with subcontractors that comply with the provisions governing business associate agreements between covered entities and business associates.
- Maintaining compliance records and submitting reports to HHS when HHS requires such disclosures to determine whether a covered entity or business associate is complying with HIPAA.
- Providing a breach notification to its covered entity upon discovering a privacy or security “breach,” as defined under HIPAA, and performing a risk assessment, in accordance with the final rule, when determining whether a breach has occurred.
NEW PENALTY STRUCTURE
Okay, did I lose you in the last segment? Are you still with me? Did your eyes glaze over and decided to skip to this section? Well the penalty section will not disappoint. Now we will examine the civil penalties we keep alluding to.
The HITECH Act not only expanded civil penalties to include new organizations, but they also increased the original HIPAA fines.
The new penalty structure is as follows:
|VIOLATION TYPE||EACH VIOLATION||REPEAT VIOLATIONS/YR|
|Did Not Know||$100 to $50,000||$ 1,500,000|
|Reasonable Cause||$1,000 to $50,000||$ 1,500,000|
|Willful Neglect – Corrected||$10,000 to $50,000||$ 1,500,000|
|Willful Neglect – Not Corrected||$50,000||$ 1,500,000|
One-time violations stay under $50K, but repeat violations within the same year can hold a fine of $1.5 million across all HIPAA violation categories, up substantially from the previous $250K minimum. That’s a bit of a hike. However, the average economic impact on your company will be more than the civil penalties mentioned above. You also have to consider federal investigation, legal fees, business downtime and decreased credibility so you could be looking around a total of $2.4 million give or take a few dollars.
I bet I got your attention now. And if you think no one will notice if you’re not in compliance – think again.
One of the lesser-known requirements of the HITECH Act is that it mandates periodic and random audits of covered entities and business associates alike. While previously in a testing pilot phase, the OCR (Office for Civil Rights, enforcing entity of HIPAA) audit program has been up and running since 2013.
In conclusion, any HR, IT, or Finance professional handling any information that is private (or as the Act defines – protected health information) is now liable. You should inform your employees as well as your subcontractors of your newfound responsibility. Don’t forget ignorance of the law is not a defense. As clearly demonstrated above, ignorance of the law will cost you thousands of dollars.