As you likely know, the American Recovery and Reinvestment Act of 2009 significantly changed provisions in the HIPAA Privacy and Security Regulations, broadening their applicability and creating new provisions that place new requirements on those covered by the rules, such as physicians. These laws had not undergone revision since they were enacted years ago.
For years, physicians have had to ensure that appropriate agreements were in place with their business associates, which includes anyone who provides legal, accounting, consulting, financial, quality assurance, or billing services, among others. These agreements have a great amount of standard language and require the business associate to secure the physician's protected health information and use and disclose it only as appropriate.
Prior to the stimulus package, the HIPAA rules did not directly apply to business associates, as they were only subject to the contract provisions mentioned above. Regulatory authorities could not enforce the provisions against or sanction a business associate. The stimulus package changed this by:
The stimulus package also created the first comprehensive security breach notification requirements for the unauthorized acquisition, access, use, or disclosure of protected health information, where the breach compromises security or privacy. These new rules require notification to patients and the HHS Secretary in the event of a breach. Depending on the number of individuals impacted, other notifications may be required.
In addition, penalties will be increased up to a maximum of $1.5 million depending on certain factors. Some groups have criticized those that enforce the rules for the limited number of enforcement actions taken. The new law gives state attorneys general the authority to bring suit in federal district court against any person violating the rules on behalf of state residents to stop further violation or to obtain damages on behalf of such residents. The court will be allowed to award attorneys fees to the state in such actions.
Physicians should now take certain steps with respect to the compliance of its business associates, including:
Among other provisions that physicians may want to consider with their attorney for inclusion are:
It is important to note that physicians are not required to monitor or oversee the ways that their business associates carry out privacy safeguards or the extent to which the business associate abides by the Business Associate Agreement.