Legal Matters: HIPAA Round Two: The Age of the Business Associate
The recently passed Stimulus Bill included a sweeping expansion of HIPAA, which now directly regulates Business Associates, added data breach notification requirements, and increased fines and penalties.

Who is a Business Associate?
Business Associates perform a service to or on behalf of a provider, insurance company or healthcare clearinghouse that involves the collection, use, or disclosure of protected health information. Some examples may include accountants and attorneys, billing companies, collection agencies, insurance agencies, outsourced management or administrative assistance, research organizations, transcription services, as well as most computer-related contractors.

What has changed?
Historically, Covered Entities were required to enter into a Business Associate Agreement with these entities. This agreement contractually obligated the Business Associate to certain privacy and security obligations but left implementation largely unsupervised and unregulated.

Under the stimulus bill, Business Associates are now required to fully implement the HIPAA requirements regarding physical, administrative and technical safeguards just as if they were a Covered Entity. This requires a full risk analysis of internal operations and the development of written policies and procedures that meet HIPAA security requirements. As any Covered Entity can attest, the full implementation of the privacy and security requirements of HIPAA dramatically impacts operations and work-flow.

Not only are the internal burdens increased, but Business Associates are now subject to civil penalties for failure to meet these requirements. These penalties have increased to $500,000 per violation up to $1.5 million per year for each type of violation. The current maximum civil penalty is $100/$25,000. State Attorney Generals are now specifically empowered to enforce HIPAA, which means neither Covered Entities or Business Associates need to wait for the Office of Civil Rights to knock on their door–enforcement is just around the corner.

HIPAA has never required Covered Entities to actively monitor a Business Associate's compliance with the Business Associate Agreement; however, a known pattern or practice could not be ignored and had to be addressed. This has not changed but now also works in reverse. A Business Associate that learns of a pattern or practice of a Covered Entity that is in violation of HIPAA is required to work with the Covered Entity to resolve the issue or report the Covered Entity to the proper enforcement authority.

Breach Notification
As of the writing of this article, approximately 43 states have implemented data breach notification laws including both Tennessee and Virginia. These typically require the breach of one or more pieces of identifying information in conjunction with an unencrypted social security number.

Under the stimulus bill, the breach of health information has no limits or requirements. Any breach of any information is now reportable. A podiatrist who drops a list of names and shoe sizes in the parking lot has the same obligations as a provider whose computer system has suffered a breach of names and social security numbers.

Each patient must be notified in writing. If information on more than 500 individuals in a defined region has been breached, local media outlets must be notified. The Department of Health and Human Services must also be notified immediately in the case of a breach of 500 or more records or in an annual report if less. This information will be posted on the DHHS website. Business Associates who suffer a breach must notify the Covered Entity of the breach so that these actions may be taken.

The only exception to these reporting rules is if the breached information meets certain security (encryption) requirements. The Department of Health and Human Services is tasked with developing rules for encryption, though these have not been finalized at this time. Encryption of data at rest, which is what will be required, is a monumental task and will likely take information technology vendors quite a while to incorporate into their systems. In addition, interfaces and other software will need to accommodate these changes.

The harshness of these reporting requirements will definitely clash with state law reporting issues, software development timelines, and the disjunction of paper and electronic breaches. As a result, expect to be faced with breach reporting issues for the foreseeable future.

Miscellaneous Changes
There are several other changes that will impact both Covered Entities and Business Associates. Requests by a patient to restrict insurance company access to records related to a visit paid for out-of-pocket must be honored. If you have an electronic medical record, patients may now request an accounting of disclosures for releases related to treatment, payment and operations. If you have an electronic medical record, a patient has the right to receive an electronic copy of their medical records. What constitutes minimum necessary for various uses, including internal uses, will be subject to further definition.

Going Forward
HIPAA enforcement by both the Office of Civil Rights and HHS has been on the rise. Enforcement is now going to also come from State Attorney Generals. The complexity of these new rules coupled with the fact that many Business Associates have not fully implemented HIPAA requirements creates a daunting enforcement landscape. Over the next few months, many of the issues discussed in this article will be more fully defined through the regulatory process; however, both Covered Entities and their Business Associates should dust off their agreements, analyze their operations and begin preparing to implement these changes.

Randall E. Sermons, attorney at law, provides legal support for healthcare businesses including regulatory analyses, health information and health information technology as well as general corporate assistance. He may be contacted at .

Login and voice your opinion!