HIPAA Business Associate Agreement Updates: The February 17, 2010, Deadline Is Approaching


by Tom Kelley

Kelley,Thomas
tkelley@mcgrathnorth.com
(402) 341-3070

As a result of the Health Information Technology for Economic and Clinical Health Act (“HITECH”), which was included as Title XIII of the Federal economic stimulus package, the American Recovery and Reinvestment Act of 2009, health related businesses are now subject to much greater regulation of their information privacy and security practices.  HITECH is generally considered to represent the most expansive modification to the Federal privacy and security rules for health-related businesses since the 1996 enactment of HIPAA.

HIPAA/HITECH regulates Covered Entities and Business Associates.  A “Business Associate” is a person or entity to which a health care provider (for example, a physician, dentist or hospital), a health plan or a health care clearinghouse (each a “Covered Entity”) discloses a patient’s or participant’s (in the case of research) health information that identifies the person or can be used to identify the person (known as “Protected Health Information” or “PHI”) so that the Business Associate can carry out, assist with the performance of, or perform a function or activity for the Covered Entity.   Potential Business Associates include: lawyers; external auditors or accountants; professional translator services; answering services; consultants hired to conduct audits and/or perform coding reviews; accreditation agencies; shredding companies; data processing firms or software companies that may be exposed to or use PHI; collection agencies, pharmacy benefits managers; information technology companies and medical transcription services.

One of the most far-reaching effects of HITECH is its extension of the HIPAA security and privacy rules to Business Associates.  Previously, Business Associates were required (under their Business Associate Agreements with Covered Entities) to implement administrative, physical and technical safeguards that “reasonably and appropriately” protected PHI.  While Business Associates could be liable for a breach of such security obligations arising under their Business Associate Agreement with a Covered Entity, the Business Associate was not liable for a violation of HIPAA itself.  HITECH reverses this approach.  Now, HIPAA’s security and privacy rules also apply directly to Business Associates.

This means that Business Associates may now be subject to the same criminal and increased civil penalties as Covered Entities if they are found to be in violation of HIPAA’s security or privacy rules.  Prior to HITECH, HIPAA civil penalties were limited to $100 per violation with an overall limit of $25,000 per calendar year.  Under HITECH, the minimum civil penalty is $100 per violation (with a maximum of $50,000 per violation) and an overall limit of $1,500,000 for identical violations during the calendar year.

HITECH has been interpreted by many health law practitioners to require Covered Entities to amend all existing and any new Business Associate agreements by February 17, 2010, to ensure Business Associate compliance with HIPAA’s privacy and security rules.  HHS’ Office for Civil Rights planned to publish by year end 2009 a proposed rule on how Covered Entities and their Business Associates should account for the use and disclosure of PHI in their Business Associate Agreements, but the proposed rule has been delayed.

If you have any questions regarding the requirements to update business associate agreements, or how the new HITECH rules may affect your business, please contact Tom J. Kelley at 402-341-3070 or tkelley@mcgrathnorth.com.

Share Button