HIPAA, HITECH And Medical Transcription, Part 1: New Responsibilities For Business Associates
In this first installment in a series of articles about how the HITECH portion of the ARRA legislation (also known as the stimulus bill) will change the way medical transcriptionists operate, I want to focus on some of the new obligations for business associates, including transcription service providers under the new legislation. A good starting point is this article from For The Record magazine entitled, "Pulling It All Together - The HITECH Act & HIPAA," which deals with some of these new responsibilities for business associates handling electronic protected health information (ePHI). Here are some key passages, with my emphases added:
Breach notification requirements also extend to business associates
(BAs). Under HITECH, BAs are now directly accountable for violations.
Further, if a BA becomes aware of a violation on the part of a covered
entity (CE) with whom it works, it has an obligation to report the
breach if the CE does not take steps to remedy the situation.
As
a result, BAs that have not already done so will need to implement
security and notification policies and procedures of their own, as well
as work with CEs to reach agreements on how notifications will be
handled.
In most cases, this will require BAs to
carefully evaluate and revise existing contracts not only with CEs but
also with any subcontractors that may handle personal health
information (PHI) on behalf of clients.
“Agreements
will have to be amended to reflect that the nature of the relationship
between the business associate and covered entity has changed, such
that the BA actually has affirmative duties to take certain steps,”
says Helen Oscislawski, JD, a health law attorney with Fox Rothschild
LLP. “For one, BAs now have a direct obligation, if they are aware a
covered entity has engaged in a breach, to report the breach to HHS if
the CE fails to take steps to remedy the breach and terminating the
contract is not an option. This was in reverse before. Now we have a
bilateral, mirrored obligation on both ends. It changes the dynamic
between these parties in many ways.”
Further, while
previously the determination of whether a BA would be held accountable
for breaches was handled in contracts, they are now directly at risk
for the same statutory and civil monetary penalties as covered
entities, including those pursued by state attorneys general.
As you can see, HITECH has clearly changed the ground rules with regard to who is responsible for securing ePHI. It used to be that the burden was by and large all on the covered entity, i.e., the client, to be HIPAA compliant. That is no longer the case. Under HITECH, business associates must now be proactive in ensuring that all ePHI is handled in a secure manner, whether or not the client sees the need to do so. In my own personal experience as an MT service owner dealing with small physician practices, as well as providing consulting services to other small MTSOs and independent contractors, I'm well aware of the challenge this presents to many of us. Every doctor we deal with, as well as their office personnel, must now be educated on the need for security measures that up to this point may have been ignored.
Furthermore, HITECH not only requires that proper security measures be put in place (more specifics on that in later articles), there must be a written contract between CEs and BAs which clearly spells out the legal obligations of all parties under HIPAA and HITECH. In other words, the days of doing business with a client on the basis of a conversation in person or over the phone are over. Everything has to be in writing, and it has to be very explicit in terms of what each party is required to do under the law. Again, this means that if you don't already have a written HIPAA compliance contract in place for every client, now is the time to get it done. And even if you DO have existing written agreements in place, they must all now be updated to reflect the new obligations under HITECH.
The bottom line is that transcription service providers can no longer afford to sit back and wait for the client to initiate a conversation about contracts and security procedures. Now under HITECH, if we aren't HIPAA compliant, we can be slapped with the same monetary penalties that used to be reserved for covered entities.