The Health Information Technology for Economic and Clinical Health Act, known as HITECH, went into effect last year. The act included, among other things, a change to the Health Insurance Portability and Accountability Act covering business associate agreements.
Covered entities were given a year to bring pre-existing business associate agreements into compliance. The deadline is Sept. 23, 2014.
The transition period covered any written business associate agreement that existed before the Jan. 25, 2013, publication date of the ruling, complied with prior Health Insurance Portability and Accountability Act (HIPAA) provisions and would not be renewed or modified between April 26, 2013 (the effective date of the ruling), and Sept. 23, 2013 (the compliance date).
The transition period also covers existing written agreements between a business associate and a subcontractor until either renewal of the covered entity/business associate contract or Sept. 22, 2014, whichever comes sooner.
The act expanded the definition of business associates to include:
- Health information organizations
- E-prescribing gateways
- Personal health record providers on behalf of a covered entity
- Patient safety organizations
- Data transmission service providers with routine access to personal health information
- Subcontractors that create, receive, maintain or transmit personal health information on behalf of business associates
Covered entities have been required to have a written contract with a business associate stipulating that the business associate and any subcontractors must safeguard personal health information and not use or disclose the information except as directed in the contract. While liable for the requirements of the contract, the business associate previously was not directly liable for violations.
In the new rules, a business associate cannot do anything that the covered entity cannot do:
- A contract is required between a business associate and a subcontractor that is as stringent as the contract between the covered entity and the business associate.
- If a covered entity delegates a privacy rule obligation to a business associate (for example, providing Notice of Privacy Practices to individuals), the contract must require the business associate to perform in compliance with the rule.
- A business associate must report to the covered entity any breach of unsecured personal health information.
- In addition to being contractually liable, the business associate is directly liable for violations of applicable provisions of the HIPAA rules and for violations by a subcontractor, including:
- Impermissible uses and disclosures, including more than the minimum necessary
- Failure to comply with security rule
- Failure to provide breach notification to the covered entity or, if a subcontractor, to the business associate
- Failure to provide e-access as provided in the business associate contract
- Failure to disclose personal health information to the Department of Health and Human Services (HHS) for compliance and enforcement
- Failure to provide HITECH accounting
- If a business associate is aware that a subcontractor is violating a rule, the business associate must take reasonable steps to end the violation or terminate the contract, if feasible.
Medical practices are advised to have legal counsel review their existing business agreements to ensure needed updates are in place. The HHS Office of Civil Rights includes sample wording for provisions of business associate agreements on its website at www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html.