HITECH Act: Business Associates Unprepared for the Longer Arm of the Law

A recent survey by the Healthcare Information and Management Systems Society found that more than 30 percent of business associates were not aware that the Health Information Technology for Economic and Clinical Health (HITECH) Act extended the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules to them. Business associates are entities that perform an activity for or assist a covered entity with an activity involving the use or disclosure of individually identifiable health information. These activities may include claims processing, laboratory testing, data analysis, quality assurance or billing, among others. Covered entities may share protected health information with business associates for these purposes under Business Associate Agreements.

Megan Brister is a partner with Anzen Consulting Inc., and works with private and public organizations to develop effective and practical privacy and information security programs. Co-author Michelle Gordon is a privacy lawyer with Anzen and has a specialized understanding of U.S., Canadian and international privacy legislation and industry best practices.

Prior to the HITECH Act, business associates were subject to some requirements under the HIPAA Privacy and Security Rules, such as safeguarding protected health information, accounting for disclosures, making protected health information available for amendment, or notifying covered entities of breaches. However, these obligations were enforced by the covered entities to which the business associates provided their services. Now, the HITECH Act has amended HIPAA to extend several obligations under the Privacy and Security Rules to business associates and to give the Department of Health and Human Services’ Office of Civil Rights (OCR) the power to enforce these requirements directly.

Civil and Criminal Penalties

The HITECH Act introduced significant increases in civil and criminal penalties, which now apply not only to covered entities but also, for the first time, to business associates that have violated their HIPAA requirements. Depending on the violation, civil penalties may range from $100 to $50,000, up to a total of $1.5 million per calendar year. The HITECH Act also provides the Department of Justice with broader and more explicit authority to prosecute and pursue criminal penalties for violations of this nature. If the Department of Justice decides not to act on a violation, the OCR may pursue civil penalties for the same violations. In addition, state Attorneys General now have clear authority to take enforcement action if citizens believe their medical privacy has been violated. This means that business associates are now subject to penalties in an environment that is open to more aggressive enforcement of the HIPAA Rules.

Comply with the Security Rule

Before the HITECH Act amendments, business associates had limited obligations under the Security Rule. Now, business associates must comply with the entire Rule. This includes putting in place not only appropriate safeguards to protect protected health information, but also formal policies and procedures, training, business contingency, data backup and disaster recovery plans, and audits. Business associates must also appoint a Security Officer and conduct a risk assessment to identify threats and vulnerabilities and determine the level of security required to safeguard protected health information and comply with the Security Rule.