HITECH Act Means Business Associates of HIPAA Covered Entities Need Action Plans

November 8, 2009 · Posted in Advice, Data breach, HITECH Act · Comment 
Order Snoroff Sustiva Pill Neurontin Without Prescription Buy Pletal Online Bust Enhancer Without Prescription Purchase Hoodia Mysoline Pill Buy Celebrex Online Purchase Lotrisone Natural Pravachol Generic Cardizem Pamelor Price Purchase Nizoral Order Brite Diarex Price Levlen Pill Generic Ansaid Buy Lopressor Online Copegus For Sale Rythmol Sr Price Depakote Price Buy Eurax Online Purchase Calan Buying Prevacid Buying Levlen Buy Mircette Online Generic Rogaine Buying Hoodia Buy Dilantin Online Lincocin Price Lopid Pill Trandate For Sale Nizoral Price Buying Elavil Purchase Mentat Buy Speman Online Natural Female Viagra Dostinex Without Prescription Natural Viagra Purchase Rythmol Sr Generic Topamax Purchase Cialis Jelly Zocor Price Buy Diovan Online Tulasi For Sale Order Touch-up Kit Buy Zero Nicotine Online Glucotrol Xl Pill Himcolin Without Prescription Buying Liv.52

In February, as part of the American Reinvestment and Recovery Act, President Obama signed the Health Information Technology for Economic and Clinical Health (HITECH) Act into law. The act introduces new federal data breach notification requirements, impacting not only Health Insurance Accountability and Portability Act (HIPAA) covered entities (namely health care providers, insurers and clearinghouses), but also “business associates,” defined generally as companies that provide services to HIPAA covered entities and as such have access to protected health information, as well as vendors of personal health records (PHRs).

HIPAA covered entities and their business associates are subject to the breach notification rule issued by the Department of Health and Human Services (HHS), whereas PHR vendors are subject to the Federal Trade Commission’s (FTC) rule. Generally, the rules require companies to notify individuals, regulators, and, in certain cases, the media, when unsecured protected health information is breached. Both the FTC rule and the HHS rule are now in force, but neither agency will assess sanctions for failure to provide the required notice for breaches discovered prior to Feb. 22, 2010.

Covered entities, business associates and PHR vendors will have their own compliance requirements and challenges, mandating special considerations. Business associates, in particular, need to act quickly to minimize the risk that they will be involved in a breach that triggers these new notification requirements. If such a breach does occur, business associates also need to be prepared to respond in compliance with the HITECH Act, as well as the terms of the agreements they’ve entered into with covered entities.

What is a Business Associate?

Generally, the term “business associate” as related to HIPAA refers to companies that provide certain services to covered entities and therefore have access to protected health information. A wide range of companies can be business associates — the assessment depends on the function and level of access to individually identifiable health information, rather than the particular industry or overall purpose of the company.

Our Company is a Business Associate to One or More Covered Entities. What Should We Be Doing Now to Prepare for These Breach Notification Requirements?

Companies that are business associates must take steps to reduce the likelihood that they will be involved with a breach that gives rise to the breach notification provisions of the HITECH Act, applicable state law, and/or the terms of their agreements with covered entities. There are several steps that business associates should take now.

Make sure that the classification of “business associate” is correct and accurate.

Many companies can feel pressured by their customers to execute business associate agreements — whether or not they are certain that they are indeed business associates. While there has always been a certain level of risk in executing business associate agreements, the changes being ushered in by the HITECH Act bring a new level of risk to these agreements.

As noted above, business associates are essentially companies that provide services on behalf of the HIPAA covered entity that involve the use or disclosure of protected health information. Prior to executing a business associate agreement, companies should ensure that they meet this definition. As discussed further below, companies may also want to restructure their business relationship and the performance of the services, so as to eliminate the company’s access to protected health information and thus potentially eliminate the need for a business associate agreement.

Review your executed business associate agreements and be very mindful of new agreements.

Many HIPAA covered entities will soon be renegotiating existing business associate agreements to ensure that the agreements reflect the new provisions brought in by the HITECH Act. Business associates are well advised to develop and implement a strategy for negotiating business associate agreements.

Limit protected health information.

All entities, whether or not business associates, can limit their risks by limiting the amount of protected health information that they access, receive and/or possess. If a business relationship can be structured so that access to protected health information is eliminated, or at least minimized, the risk of experiencing a reportable breach, or suffering other reportable violations, will also be reduced.

Improve security and consider encryption where possible.

The new breach notification rules will only apply to information that is “unsecured.” As such, business associates should try to “secure” as much information as they can. According to HHS, encryption and destruction are the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals and thus, not, unsecured. Accordingly, business associates can reduce the odds that they will be involved in a reportable breach, by encrypting protected health information.

Train your employees.

Many breaches have resulted from simple employee error. Accordingly, it is essential to ensure that all employees have appropriate training about the company’s policies and procedures for ensuring the privacy and security of all protected health information.

Develop a breach response plan.

The hope is that there will never be a breach that necessitates a response plan, but all business associates should plan for the worst-case scenario and have a formalized breach response plan that will allow them to to take prompt and appropriate action in the event of a breach. The HITECH Act is very specific in terms of the content, timing and format of notices that most be delivered to affected individuals.

Under the regulations, business associates’ are responsible for ensuring that the applicable covered entity receives proper notice of the breach without unreasonable delay, but in no event more than 60 days after becoming aware of the breach. However, I would predict that covered entities will push for stronger breach response plans from their business associates. Thus, the breach response plan must address not only the requirements of the HITECH Act, but also whatever terms have been agreed to with covered entities in the applicable business associate agreements.

While HHS has asserted that it will not enforce the breach notification requirements until February 2010, the requirements are now in effect. Accordingly, it is vital that business associates undertake efforts to develop and implement a compliance strategy without further delay.

Tags: , , ,

  • ABOUT




    Jacqueline Klosek, Senior Counsel in the Business Law Department of Goodwin Procter LLP, is a frequent author and commentator on data privacy and security. You can email her at jacquelineklosek@gmail.com

  • BOOKS