News flash: HIPAA no longer applies only to health care providers, insurance companies and other so-called "covered entities." If you are a business that handles patient or employee medical information, then you need to have policies and procedures in place that comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), including recent amendments made as part of the Health Information Technology for Economic and Clinical Health Act. Commonly known as the HITECH Act, this statute went into effect on February 18, 2010. Draft regulations implementing the statutory provisions were published on July 8, 2010. Those affected by the HITECH Act will have six months from the effective date of the final regulations to be fully compliant. In the interim, businesses that are subject to the HITECH Act are required to make good faith efforts to comply with the statute.
Defining the Terms
In order to get a handle on your potential obligations under the HITECH Act, it is important to start with an understanding of two common HIPAA terms:
- Covered Entities: Companies that handle medical information about patients as part of their business, self-insure health insurance plans for their employees or sponsor a health insurance plan for their employees (but do not use an insurer or third-party administrator to process health insurance claims) are all considered covered entities under HIPAA, as are health care providers and health care clearinghouses.
- Business Associates: Companies that receive medical information about patients from covered entities are considered business associates. The Department of Health and Human Services has provided examples of the relatively broad category of business associates, including persons who perform legal, actuarial, accounting, management or administrative services for covered entities.
That Was Then...
Previously, HIPAA's strict confidentiality and computer security requirements applied only to covered entities, which had to enter into so-called "business associate agreements" with any other company to which they disclosed patient or employee health information. Although business associates promised to keep the patient information confidential, they were not directly subject to HIPAA's regulations or penalties.
That has all changed under the recent amendments through the HITECH Act.
...This Is Now
HIPAA's privacy and security requirements and financial penalties now apply directly to both business associates and covered entities. As a result, business associates must adhere to HIPAA's strict confidentiality and computer security rules, which require companies to have compliance officers on staff, as well as policies and procedures that safeguard the privacy and security of what is known as protected health information (PHI). Violators are subject to government-imposed fines ranging from $100 to $50,000 per violation, up to an annual amount of $1.5 million if the violations are willful and continue for more than 30 days.
The privacy regulations cover PHI that is held or transmitted in any form (electronic, paper or oral), while the security regulations apply only to PHI that is transferred electronically. Covered entities and business associates must protect the privacy of PHI by (1) limiting access to only those who need it, (2) using passwords to restrict access and (3) storing records in locked cabinets. Methods of securing PHI, including encryption and destruction, must make the data "unusable, unreadable or indecipherable."
The HIPAA amendments contained in the HITECH Act also
- Allow state attorneys general to bring HIPAA enforcement actions. Previously, only the federal government could bring such actions.
- Provide financial rewards to whistleblowers who report HIPAA violations to federal or state governments. This financial incentive puts all covered entities and business associates at far greater risk.
- Require employers that discover a HIPAA violation to affirmatively disclose that violation to the government and, if it affects 500 or more people, to the media.
In light of these important changes, all covered entities and business associates should ensure that they have HIPAA policies, procedures and agreements in place that comply with the new HITECH Act amendments and regulations. Failure to do so could result in significant fines and, in some cases, criminal prosecution.
For more information on how HIPAA and the HITECH Act may apply to your business and the steps you should take to become compliant, please contact your attorney.