ARRA's Impact on HIPAA Privacy and Security

(Oct. 14, 2009)

Part 1: Business Associates

One of the most notable changes mandated with the enactment of the American Recovery and Reinvestment Act (ARRA) of 2009 is the expansion of the scope of the HIPAA privacy and security regulations beyond healthcare providers, clearinghouses and health plans, referred to as covered entities. Now, most any type of vendor and contractor -- referred to as business associates -- that provides services to these types of healthcare organizations must comply, to the same extent as covered entities, with the privacy and security regulations of protected health information (PHI) as mandated by the Health Insurance Portability and Accountability Act (HIPAA).

As such, business associates will be subject to civil and criminal penalties and enforcement proceedings of HIPAA for violations concerning or mishandling of PHI. These most recent provisions are contained in a portion of ARRA called the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Previously HIPAA applied only to covered entities -- providers and health plans -- and only indirectly applied to business associates that perform PHI-related functions and services for them. These services include, but are not limited to legal services, accounting, information technology, and financial support. While these type of entities were required to enter into a business associate agreement (BAA) to ensure that they complied with the HIPAA privacy and security regulations, now under the HITECH Act, once a BAA is entered into, all of the HIPAA rules, including penalties for violations of HIPAA, apply directly to business associates as well.

In addition, vendors providing PHI data transmission services to covered entities and vendors that require PHI access on a routine basis are now considered business associates and are required to sign BAAs. These types of vendors include health information exchange organizations, regional health information organizations and personal health record vendors. This provision also greatly affects software vendors.

Additionally, all covered entities and business associates can expect heightened enforcement of the privacy and security regulations and tougher monetary penalties ranging from $25,000 to $1.5 million.

Protecting your organization

In light of the HITECH regulations, providers will need to revise their vendor contracts to reflect these breach notification provisions. In doing so, how can hospitals and business associates protect themselves? According to Senior Compliance Consultant Mary Thomason, of Salt Lake City, UT-based Intermountain Healthcare, speaking at the American Health Information Management Association convention in Grapevine, TX in October, there are several strategies that both associates and providers should put in place to ensure proper compliance and PHI protection:

  • Ensure that all BAAs spell out the details of the timing and content of security breach notifications.
  • Ensure that current, around-the-clock contact information for key business associate/healthcare organization staff who manage privacy and security breach notifications is on file and easily accessible to staff.
  • Be prepared to demonstrate to the Department of Health and Human Services (HHS) Office for Civil Rights how your organization is complying with privacy and security requirements. According to Thomason, HHS will be conducting periodic compliance audits of both business associates and covered entities.

Part 2 of this article will discuss how the ARRA requires business associates to handle privacy and security breaches and the disclosure, sale and accounting of PHI.