As of February 17, 2010, entities covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), such as group health plans and their business associates, will have to take certain actions to ensure continued compliance with the privacy and security provisions of the act.
HIPAA was put in place to guard the privacy of protected health information and regulate the manner in which covered entities—defined as a health plan or a healthcare provider that uses a healthcare clearinghouse or an electronic device to transmit health information—and business associates create, store, access, and disclose protected health information.
In the final rule from the Department of Health and Human Services (HHS), stricter penalties were applied for violations of the HIPAA privacy and security rules. The rule also amended HIPAA’s enforcement regulations to incorporate the violation categories of the Health Information Technology for Economic and Clinical Health (HITECH) Act. The categories include violations, adding tiered ranges of civil money penalties, and revised limitations on the HHS secretary’s authority to impose civil money penalties.
Some of the changes to HIPAA include:
- Business associates (people who provide services to a covered entity) of a covered entity must fully comply with HIPAA’s privacy and security requirements;
- Covered entities must amend their business associate agreements to reflect the new obligations imposed on business associates;
- Covered entities must notify individuals of any unauthorized disclosure of their unsecured protected health information (PHI);
- Business associates must notify covered entities of any unauthorized disclosure of unsecured PHI;
- Covered entities must honor individuals’ requests to restrict disclosure of PHI; and
- The new HIPAA provisions will be enforced through heightened penalties and mandatory audits by the HHS secretary.
Also, under the new HIPPA security rules, covered entities will have to amend business associate agreements to reflect changes to the privacy regulation that addresses the storage and transmission of electronic PHI. This applies to a limited extent to business associates by requiring that they comply with the security safeguards set forth in business associate agreements.
Business associates will also need to adopt a security policy, appoint a security officer, and train their workforces on how to safeguard electronic PHI. Similarly, it appears that the rule requires business associates to comply with the privacy provisions of HIPAA to the same extent that covered entities must comply. Currently, business associates are required only to comply with the provisions of the Privacy Rule that are set forth in the business associate agreement.