HITECH Makes Business Associates Liable Under HIPAA
Medical transcription providers should be educating themselves on how the Health Information Technology for Economic and Clinical Health Act (HITECH) portion of the American Recovery and Reinvestment Act of 2009, also known as the stimulus bill, is changing the way HIPAA regulations will apply to business associates. Up to this point, business associates of covered entities were not directly liable under HIPAA for breaches of private health information (PHI). As a result of HITECH, however, business associates, including transcription providers, will now be directly liable for failure to adhere to HIPAA regulations regarding the use of PHI.
According to Ed Jones from hipaa.com:
Application of the Security Rule to business associates of covered entities is a significant change. Previously, if there were a breach involving a business associate of which the covered entity were aware, then the covered entity could just terminate the contract if the breach was not remedied. Responsibility and liability rested with the covered entity. With the change in the HITECH privacy provisions of ARRA, the business associate now has responsibility and liability directly for a breach. A breach requires notification, which is triggered when there is an incident of "unsecured protected health information." The Secretary of HHS is required to issue guidance on what constitutes "unsecured protected health information" within 6o days of February 17, 2009. In the absence of such guidance in the time specified, then a default definition pertaining to a failure of encryption as endorsed by the National Institute of Standards and Technology (NIST) of such information [applies]. The notification provision requires both covered entities and business associates to notify affected parties directly and individually in a timely manner, and to use appropriate public media for cases involving over 500 individuals. This is a specification that was not defined under HIPAA Administrative Simplification. Increased penalties for a breach by a covered entity are immediately effective.
Writing for WTN News, attorney John Barlament explains further:
For the first time, business associates must comply directly with many of HIPAA's Security Rules. This will require every business associate to take several actions, including appointing a security official, developing written policies and procedures, and training its workforce on how to protect electronic protected health information ("EPHI"). These provisions go well beyond the previous requirements for business associates, where business associates only had to comply with the written business associate agreement.
Business associates also will need to follow HIPAA's Security Rules relating to physical safeguards (such as locking computers that contain EPHI), technical safeguards (such as encrypting emails) and the requirement to adopt written policies and procedures. Failing to do so will - for the first time - subject a business associate to civil monetary penalties and criminal penalties for each notification (and, as discussed below, the civil monetary penalties are now increased).
A covered entity or business associate that has a specified security breach will be required to notify each individual affected by the security breach. This can involve written notification by mail or, if specified by preference by the individual, email. If the covered entity or business associate lacks current contact information, it may be required to post notice of the breach on its website or in newspapers or other broadcast media (e.g., television). For certain large breaches (involving more than 500 residents in a particular area) a "prominent media outlet" must be notified of the breach. The U.S. Department of Health and Human Services ("HHS") also must be contacted, and HHS is to establish a website listing these breaches. There is an exception for certain unintentional breaches.
The Act states that business associates must comply directly with certain HIPAA Privacy Rules, primarily the requirement to have and follow a business associate agreement. The scope of this change is unclear. It could mean that every entity must determine whether it is a business associate with respect to a covered entity. If so, the business associate may be required to enter into a business associate agreement with the covered entity. Previously, it was a covered entity's responsibility to identify all its business associates (a business associate did not need to identify whether it actually was a business associate).
The civil monetary penalties are significantly increased. Currently, the amount of the penalty is generally $100 for each violation. This $100 amount (and its related cap of $25,000 for multiple violations) increases to $1,000 per violation for a violation due to "reasonable cause and not to willful neglect" (with a maximum penalty of $100,000); $10,000 for each violation that was due to willful neglect and is corrected (subject to a $250,000 maximum penalty); and $50,000 for each violation if the violation is not corrected properly (subject to a maximum penalty of $1,500,000 during a calendar year). These changes are immediately effective (i.e., they are in effect today) and represent a dramatic increase in the penalties under HIPAA.
In addition, state attorney generals can now bring a HIPAA enforcement action against a covered entity or business associate that violates these rules. Further, the state attorney general can obtain attorney's fees under such an action (although the attorney's fees are discretionary and not mandatory).
HHS - the main enforcer of HIPAA - now is required to conduct "periodic audits" to ensure that both business associates and covered entities are compliant with these new rules. Audits were possible under the old regulations. However, audits tended to be fairly rare, perhaps due to a lack of funding at HHS. Now, some monetary penalties or settlements collected by HHS are transferred to HHS's Office of Civil Rights to be used for purposes of enforcing HIPAA. This appears to solve the funding issue that HHS had apparently experienced. Thus, clients can expect to see increased HIPAA audits and enforcement.
So what does all this mean for the independent MT contractor and mom-and-pop transcription provider, not to mention regional and national MT service providers? While we don't yet know what the final HHS guidelines will look like, it seems clear to me that a whole boatload of new liability has just been dumped on MTs, whether we're ready for it or not. I'll be following the progress of the HHS rule-setting process with great interest, and will report back as new information becomes available.