Many Idaho business owners know that federal privacy rules under the Health Insurance Portability and Accountability Act , HIPAA, apply to health information maintained by certain “covered entities”, i.e., healthcare providers and health plans.
But fewer know that effective September 2013, new regulations dramatically expanded HIPAA privacy rules to also apply to “business associates” of those covered entities.
A “business associate” is generally a person or entity who “creates, receives, maintains or transmits” protected health information in performing services on behalf of a covered entity. Under the new regulations, thousands of large and small Idaho businesses that support the healthcare or health insurance industry must now comply with HIPAA privacy and security rules or face mandatory fines. The new regulations affect any business that handles protected health information for healthcare providers or health plans, including consultants, information technology contractors, software vendors, document storage or destruction companies, accountants and bookkeepers, billing and coding companies, transcriptionists, lawyers, and third party administrators.
Furthermore, if the business associate uses subcontractors to provide any services involving the protected information, the subcontractors also become “business associates” and must comply with the HIPAA privacy rules.
Business Associate Requirements.
Under the new regulations, business associates must generally do the following:
1. Perform and document a security risk assessment of their computer systems and portable devices containing electronic PHI.
2. Implement specified administrative, technical and physical safeguards to protect the integrity, confidentiality, and availability of electronic PHI (e.g., establish computer access controls; use firewalls, virus protections, and encryption; backup data; implement appropriate security policies and procedures; etc.).
3. Execute and perform according to written business associate agreements with covered entities that essentially require the business associate to maintain the privacy of PHI; limit the business associate’s use or disclosure of PHI to those purposes authorized by the covered entity; and assist covered entities in responding to patient or health plan participant requests concerning their PHI.
4. Report security incidents and privacy breaches to the covered entity.
5. If the business associate uses subcontractors or other entities to provide any services for the covered entity involving PHI, execute business associate agreements with the subcontractors.
Penalties for Violations.
Business associates who violate HIPAA are now subject to penalties of $100 to over $50,000 per violation. If the violation resulted from willful neglect, the Office of Civil Rights must impose a penalty of at least $10,000 per violation. If the business associate acted with willful neglect and fails to correct the violation within 30 days, the Office of Civil Rights must impose a penalty of at least $50,000 per violation. A north Idaho hospice was recently fined $50,000 because of the loss of data from a laptop. Idaho State University recently settled a HIPAA violation for $400,000 because of inadequate security measures.
Beware Business Associate Agreements.
To comply with the new requirements, Idaho healthcare providers and health plans have been requiring many of their contractors to execute business associate agreements whether or not they are truly “business associates” under the HIPAA rules. In the past, there was little risk in executing the agreements because business associates were not directly liable for HIPAA violations. Under the new rules, however, executing the agreement may establish a business associate relationship and subject the contractor to HIPAA liability for violations. In addition, many business associate agreements contain indemnification or insurance clauses that increase the obligations and associated risks to businesses.
If a business is truly a HIPAA “business associate,” it must take seriously its HIPAA obligations and comply with HIPAA rules as well as the terms of an agreement. If it is not a HIPAA “business associate,” the business may want to think twice before executing a business associate agreement or assuming responsibilities involving a healthcare provider’s or health plan’s health information.
Kim Stanger is a partner at Holland & Hart in Boise, where he works in the business, corporate and finance; health care; and privacy and information security practices. Contact him at firstname.lastname@example.org