How the HITECH Act Impacts a Business Associate

HIPAA compliance requirements have been greatly changed with the American Recovery and Reinvestment Act (ARRA) and its Title XIII called the HITECH (Health Information Technology for Economic and Clinical Health) Act. With the introduction of this new law, business associates are now accountable for the privacy and security requirements that previously were required only by covered entities. In addition, a business associate is now subject to civil and criminal penalties. This also includes a provision that lets patients receive financial compensation for a violation of their privacy.

This new federal law has added strength to the enforcement portion of the law. The significant changes include:

• Employees and other workforce members, including independent contractors, are now subject to civil penalties. This means that individuals are also now accountable legally.
• There is a requirement for HHS to formally investigate any complaints and to impose civil penalties for violations of the rules if the violation is due to "willful" neglect.
• The law requires that any civil monetary penalties or monetary settlements as a result of a violation of the rules be sent to the Office of Civil Rights (OCR) for enforcement of the privacy and security rules.
• Civil monetary penalties now have a tiered system ranging from $100 to $50,000 depending on the offense.
• The Secretary of HHS is required to conduct periodic audits to be sure that covered entities and business associates are compliant with the new rules.
• The State Attorneys General now have the authority to bring suit in district courts for any violation on behalf of the residents of their state.

What Steps Should a Business Associate Take to be sure you are Compliant?

The first step is being sure you are properly classified. For example, if you are an independent contractor working for a service and not directly contracting with a covered entity, that probably means you are not a business associate, but an agent or subcontractor of a business associate. It is important, however, for independent contractors to understand if your contract is directly with the covered entity, that makes you a business associate and all of the new laws do apply to you.

Some things you need to consider include:

• Assigning responsibility for compliance to one person. While you can have a team working on compliance issues, one person must be named as the compliance officer and be responsible. This does not have to be an employee and you can use a consultant if that works best for you, however, it is critical that you have this person identified.
• Encryption of all electronic files. The HITECH Act has made the use of encryption the one thing that provides a "safe harbour" for not having a breach. Data that is not encrypted is considered unsecured according to the law. While you may already be using encryption for data transfers, this law also requires that information be encrypted while "at rest." This may require that you add encryption to all electronic files that are stored anywhere on your system. If you are in medical transcription, remember that this will also include the voice files stored on any dictation system. The Secretary of HHS will review these standards annually for any changes.
• Breach notifications. While HIPAA has always required that a business associate notify their client of any breaches of information, the law now makes you responsible for being sure the notification is done. A breach is defined as acquisition, access, use or disclosure of unsecured PHI that is not permitted under HIPAA and that compromises the privacy or security of the information. Remember that unsecured data means unencrypted. Documentation of breech notifications must be kept for six years.
• Be sure you are compliant with both the privacy and security rules. There are many points to consider in these rules. You must have written policies and procedures. You must have a written risk analysis done. You also must have a contingency plan in place for any kind of business disruption. Your systems also have to provide audit trails for who accesses protected health information.
• Realize you are responsible for the actions of your workforce. The rules require training of the workforce, which must be done and documented. If you have remote workers, this can be more of a challenge, but it is possible.
• Another significant change is that business associates are now responsible for trying to stop any violations by the covered entity (their client). This includes things even up to canceling your contract with a client who refuses to fix a violation or prefers to ignore the law. Both parties are responsible for doing this for the other, and this could very well change some of the relationships you currently have with your clients.
• Documentation. Remember, it's all about being sure you have things documented. Use the rule of thumb that says "if it's not documented, it wasn't done." It is no longer acceptable to just say you are compliant. You must have written documentation to show that you have done all of the required steps.

The changes that have come as a result of the HITECH Act certainly have a big impact on business associates. The date for compliance is past. If you haven't taken the required steps, now is the time to do it.