After several years, Federal regulators recently passed the final rules implementing changes to the Health Insurance Portability and Accountability Act (HIPAA), initially outlined in the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH). For the first time, Business Associates and their subcontractors have a direct obligation to comply with HIPAA.
A Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Business Associate functions and activities may include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business Associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial.
Covered entities, such as medical practices, also have work to do in order to get compliant with the new privacy regulations. Covered entities should ensure their Business Associate Agreements are up to date. The Agreements must require Business Associates and their subcontractors to comply with both HIPAA and HITECH regulations, among other things. In addition, the new rules expand the reporting obligations of covered entities and business associates with regard to reporting unauthorized disclosures of protected health information. Covered entities and business associates must come into compliance with the new HITECH rules beginning September 23, 2013.
The government is stepping up its enforcement of HIPAA in light of the new rules and audits by the government are on the rise, and not just with respect to large covered entities. Enforcement data indicates that private physician practices are the type of covered entity most commonly required to take corrective action in response to a HIPAA-related complaint filed with the government. Audits are focusing in particular on whether a covered entity has conducted a risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of a covered entity’s electronic protected health information, as required by the HIPAA Security Rule. Failure to at least conduct a risk assessment is a top concern for government regulators so all covered entities should ensure that they have conducted a risk assessment or updated their risk assessment if it is more than a year old.
Please contact us if you would like to discuss how these rules will affect your business.