HIPAA changes spread liability around

Monday, February 25, 2013

WASHINGTON – Changes to the definition of “business associates” mean that providers need to scrutinize their relationships with those they do business with.

The Department of Health and Human Services on Jan. 17 issued a final rule modifying the Health Insurance Portability & Accountability Act (HIPAA). 

The biggest change for HME providers: the definition of “business associate” has been expanded to include anyone with access to protected health information like billing and legal consultants, and businesses that provide data transmission services. It also includes subcontractors of those business associates.

“It covers basically anyone that has anything to do, even indirectly, with the disclosure of health information,” said Edward Vishnevetksy, as associate at Munsch Hardt Knopf & Harr. “This establishes a change of responsibility and liability for all healthcare providers.”

Compliance with the rule is required by Sept. 23.

While HIPAA previously only required covered entities, like providers, to comply with the rules, business associates will now be held directly responsible for HIPAA violations. The maximum penalty per violation, based on negligence, is $1.5 million, said Vishnevetsky.

Providers should get ready for the changes by first focusing on “business associate” agreements, says Elizabeth Hogue.

“Make sure the agreements comply with the new requirements,” said Hogue, a private practice attorney. “I would also make certain that new agreements also comply with any breach notification requirements.”

Breach notification requirements, among other things, must include a description of what happened, and what steps a provider will take to investigate and mitigate the breach and protect against future problems.

The HIPAA changes are in accordance with the HITECH Act of 2009, which increases enforcement efforts and penalties for breaches of health information.

“The government doesn’t want providers to have papers that can be lost or used by someone else,” said Vishnevetsky. “They want encryption.”