Since the Health Information Technology for Economic and Clinical Health (HITECH) Act passed February 17, we’ve heard a lot of banter about business associates (BA). Of course, BAs must comply directly with the HIPAA security rule and components of the privacy rule by February 18, 2010.
One HIPAA privacy and security officer told us in a focus group that she’s concerned because it’s not clear what a covered entity’s role should be as far as educating BAs. (Technically, covered entities have no obligation to train BAs.) That same HIPAA officer is working on a final draft of a BA contract, and her facility is unsure whether it will have one standard contract or individual language for each BA.
It makes sense for a covered entity to develop a template, then only change some of the details, in particular the description of what uses and disclosures of protected health information (PHI) the BA is permitted, says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA, and a HIPAA privacy and security expert.
John C. Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD, sees some BAs abandoning healthcare because they fear they can’t fully comply with HIPAA. And many experts simply feel BAs are not ready to comply.
Perhaps the most telling news is that some covered entities don’t know all of their BAs, and they’re trying to identify them.
All this with a crucial eight-month road ahead for covered entities and BAs as they get ready to comply.
In the next eight months, the U.S. Department of Health and Human Services will define the meaning of unsecure PHI, which goes hand in hand with new breach notification requirements. CMS will also publish its definition of “meaningful use” regarding electronic health records. And then the big date—February 18, 2010—which is the compliance date for BAs under the security rule and HITECH.
If you don’t have a grip on your BAs by then, you’ll not only be behind the eight ball but the entire rack on the pool table.
Borten says there is “absolutely no excuse” to not know all your BAs. She reminds covered entities that they must not only know their BAs, but must already be entered into contracts with them per the HIPAA privacy and security rules.
“You absolutely have to know who they are,” Borten says. “And you have to make sure you have legal contracts and that they have all the language required in the privacy and security rules. This should all be in place now. Imagine an auditor walking through the door and asking for this, and you can’t produce it? You’re in big trouble right off the bat.”
Potential BAs are organizations that provide data transmission of PHI, such as regional health information organizations.
The act also clarifies that personal health record (PHR) vendors who contract with covered entities to provide a PHR to their patients or health plan members are another example of BAs.
Some other examples of BAs are:
Many young adults don’t have health coverage
Almost half of young adults—a group some would argue are the most insurable—went without health coverage for more than one month in 2006, and almost one-fourth, or 3.5 million Americans, were uninsured for the entire year, according to a new federal report.
Authors of the Agency for Healthcare Research and Quality (AHRQ) report said this population, ages 19–23, were almost twice as likely to be uninsured all year as adults aged 45–64 (see Figure 10). The agency compiled the report based on the most recent data from the ongoing Medical Expenditure Panel Survey.
Most significantly, nearly one-third of those who had no insurance for an entire year felt health insurance was not worth the cost.
It was not clear from the report how much money the illnesses and injuries in this group of uninsured cost the healthcare system through uncompensated care and how much the patients paid out-of-pocket.
The group is largely healthy, with only 6.5% reporting they’d been diagnosed with any form of chronic condition by a health provider.
But the fact that a disproportionately larger number of people in this age bracket are uninsured relative to older groups of adults is cause for concern, the authors said.
The report, Characteristics of Uninsured Young Adults: Estimates for the U.S. Civilian Noninstitutionalized Population, 19–23 Years of Age, 2006, was written by Karen Beauregard and Kelly Carper.
Among its other findings:
Joel Cohen, director of the division of Social and Economic Research at the AHRQ, suggested that females tend to not lack health coverage as much as males because in many cases, they are eligible for programs such as Medicaid. In many instances, individuals within this age bracket work in settings that offer health coverage, but “it may not be considered affordable by the workers, so they may not sign up,” says Cohen.
Robert Zirkelbach, a spokesperson for America’s Health Insurance Plans, says many health plans have devised policies to meet specific pricing and insurance needs of young adults. However, says Zirkelbach, “certainly, there’s a recognition that many young adults simply don’t choose to participate.”
As policymakers design comprehensive healthcare reform legislation in Washington, Zirkelbach says they need to require that all people participate in the healthcare system. This would mean that all Americans, including individuals aged 19–23, would have to sign up, although the federal government could provide subsidies through tax breaks to help with the cost of premiums.
The insurance industry will do its part by guaranteeing coverage for preexisting conditions and no longer performing health status ratings for its applicants. “But for that to work, there needs to be a personal coverage requirement to get everybody into the system,” Zirkelbach says.
He adds that price differentials would still exist based on an applicant’s age, geographic residence, family size, and the design of the benefit plan.