Recently I have been asked by Business Associates about the “new” HIPAA compliance requirements and whether they really have to comply with those.
So far the answers I have are not the answers they are looking for only
because they will prefer me saying that those requirements are but another myth. Regretfully a lot of these requirements are not as new as a lot of the subcontractors think. Under the Healthcare Insurance Portability and Accountability Act (HIPAA) subcontractors that have access to Personal Health Information (PHI) where designated as Business Associates (BAs) which in turn resulted in the responsibility to protect that data. This law came into effect in April 14, 2003. So in reality BAs had to comply with some HIPAA requirements for the last 10 years.
In February 17, 2010 the big change was named the HITECH Act. The HITECH Act defined four s
pecific sections that Business Associate had to comply with:
(b) (1) Standard: Documentation.
(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and
(ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.
(b)(2) Implementation specifications:
(i) Time limit (Required). Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.
(ii) Availability (Required). Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.
(iii) Updates (Required). Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.
The HITECH Act also established that failure to comply exposed the Business Associate to the same civil and criminal penalties (i.e. legal liability) as the Covered Entity.
Then in March 26, 2013 the Omnibus Rule came into effect with a Sep 23, 2013 enforcement date. The Omnibus Rule came with significant changes in the BA and subcontractor world as now even the subcontractor of a BA must comply with the HIPAA Security rule with the corresponding legal obligation to follow the privacy protections of a Standard Business Associate Agreement and the HITECH provisions. In other words, BA must have a Business Associate Agreement between themselves and their subcontractors. Furthermore, those subcontractors must follow HIPAA Security and HITECH provisions. The chain doesn’t stop there as subcontractors of subcontractors must also follow the same rules.
The Omnibus Rule also created a few additional requirements which in turn resulted in the need for a new Business Associate Agreement. In other words, chances are that if you have a Business Associate Agreement dated any earlier than March 26, 2013 the same is no good and needs to be modified.
What do these changes mean for the “Potential BAs”
1. Overhead increases in order to meet the requirements. According with the Department of Health and Human Services’ Office for Civil Rights healthcare organizations will spend 32.8 million hours (between $114 to $225 million the first year and $14 million for subsequent years) complying with the modified HIPAA omnibus rule.
o Risk Assessment
o Risk Management
o Policies and Procedures
o Security Manager
o Training to include on-going Security Reminders
o Contract Administration with subcontractors
2. Less competition as many BAs won’t be able to meet the Security Requirements or will be unwilling to agree to the increase requirements. 3. Marketing Opportunity. Since many BAs are still not aware and may not be able to comply with these requirements these changes represent a golden opportunity for those that do follow the rules as this particular fact may be used as part of their outreach to present and new customers. 4. Increase liability as each infraction may result in mandatory fines ranging from $100 to $50,000 per incident. Given the fact that everyone should be aware of the new requirements by now and that every transaction or services offered without following these requirements may be considered an incident the liability for BA’s can reach the $1.5 million dollar in a very short period of time. Recommendation It all boils down to a simple statement: either learn the rules of the game or get out. While it may sound harsh the reality may be easier to digest.
1. Consider compliance a cost of doing business and hire experts to help you with an efficient cost-effective program. For example we at Taino Compliance offer an online software program which we create and maintain to assist with the following functions:
· Create and maintain Policies and Procedures on line. Not only do we provide you with the latest policies but we will also update them as needed based on regulation and industry changes.
· Forms. Our forms section helps you complete the required tasks as indicated by the Policies and Procedures.
· Customer Document Management System. You now can keep all your relevant paperwork within the same space. This is your space only where you can upload completed paperwork so it all resides within the same space.
· Security reminders. Not only do we provide you with security reminders in terms of information for you and your employees but also reminders in terms of actions to take throughout the year but also which forms to use to facilitate your actions.
· Resources. In case you don’t have the in-house resources to take actions we will recommend resources such as Uber University (training and certification programs for healthcare professionals).
2. Use the fact that you are compliant as a marketing tool.
3. Concentrate on what you do best.
At the end of the day keep two things in mind:
1. Compliance is the law;
2. It is cheaper to comply than to pay the fines.