On Thursday, January 17, the new HIPAA Omnibus Rules were announced, requiring health care organizations to update their compliance programs, and making sweeping changes to the way that many businesses that service health care clients operate. Even a small IT business that supports only one health care client must comply. Other affected businesses include EMR vendors, shredding companies, collection agencies, revenue cycle management vendors, lawyers, accountants, and all other businesses that come in contact with patient data. The rules take effect March 26, and Business Associates must comply by September 23, 2013.
The release of the new rules started a 180-day count-down to compliance enforcement against Business Associates. When it first went into effect in 2005, the HIPAA Security Rule identified Business Associates as organizations that may come in contact with Protected Health Information during the course of their duties supporting HIPAA Covered Entities (health care providers, payers, and clearinghouses.) Covered Entities were required to have Business Associates sign confidentiality agreements limiting their use or release of protected health information. These agreements were contracts between the Covered Entities and the Business Associates, which were not liable directly for any data breaches they caused.
The new regulations were enacted as part of the federal legislation that offered financial subsidies to doctors who implemented Electronic Health Records (EHR) systems. Many data breaches have been caused by Business Associates, including one in November, 2012, when a Business Associate caused a data breach of 68,000 patient records. The new rules will allow the HIPAA enforcement agency to directly investigate Business Associates for data breaches and issue direct civil and criminal penalties.
Other changes to HIPAA, and clarifications of the original rules and some interim regulations, include suggested new terminology for Business Associate Agreements, extensions of the regulations to subcontractors of Business Associates, and a new definition of ‘harm’ in the breach notification rules. New technologies not used when HIPAA was created are also included.
Health care providers and payers should take note of the federal government’s focus on Business Associates, and make sure that each Business Associate signs an agreement, and that they are protecting patient data in compliance with HIPAA. Providers will also have to update their Notice of Privacy Practices to include language related to the new regulations.