What You Need to Know about HIPAA Changes and Business Associate Agreements
Chances are you’re well acquainted with HIPAA and its guidelines for providing privacy and protecting the security of your patients’ health information. But when the U.S. government put the Final Rule (also known as the Omnibus Rule) in place back in January, it strengthened those protections even further.
One significant change to the HIPAA Rules involves your business associates—any subcontractors who deal with patient information, such as third-party EHR vendors, data storage companies, or billing systems—and protected health information (PHI). Under the new Rule, potential liability now extends to business associates. That means if a subcontractor improperly uses or discloses a patient’s PHI, both your practice and the business associate are liable and subject to penalties.
So if your practice is a covered entity that engages with business associates, what can you do to protect your practice?
1. Establish or update all business associate contracts. According to the U.S. Department of Health and Human Services (HHS), a contract should outline “what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.” You may already have written agreements in place, but with the recent changes in liability and responsibility, it’s crucial to review and update all of your contracts with business associates. And the HHS has supplied some sample agreement provisions to help get you started.
2. Review your office’s privacy policies and procedures. Revise your policies and procedures to ensure they’re in line with the new privacy and security rules. And then make sure your staff is trained on these policies and procedures and understands how to prevent or report a breach.
3. Become familiar with the practices of your business associates. Have a meeting or two with any subcontractors and make sure they’re aware of the new HIPAA Rules and are able to comply with . Discuss the definition of a breach—now defined as “an acquisition, use or disclosure of PHI in a manner not permitted”—so that all parties understand when a breach must be reported and what steps they’ll need to take when one occurs.
4. Be aware of the deadlines. The new HIPAA Rules went into effect on March 26, 2013, and the deadline for compliance is September 23, 2013. But in some cases, there is a grace period for the renewal of business associate contracts. If your practice already had a HIPAA-compliant agreement in place before the new rule’s official publication date on January 25, and if that agreement isn’t up for renewal between March 26 and September 23 of this year, then a one-year grace period will be granted until September 24, 2014.
In addition to being aware of the guideline changes and deadlines, all HIPAA-covered entities and their business associates should keep in mind that when the Office for Civil Rights (OCR) begins enforcing these new policies after September 23, there will be four tiers of civil monetary fines—ranging from $100 to $50,000 per violation, and up to $1.5 million for the same type of violation committed within one calendar year—for those who don’t comply. And while practitioners were once presumed innocent until proven guilty under the old HIPAA Rule, now they’ll be expected to prove their innocence to avoid being fined.
What are you doing to get your staff and subcontractors ready for compliance?