Recently, the Department of Health and Human Services (HHS) issued the HIPAA Omnibus Final Rule that carries potential penalties of up to 1.5 million dollars per calendar year. Many companies, even those outside of the healthcare industry, are impacted by this Final Rule and HIPAA regulations. Farhang & Medcoff can help you with one New Year's resolution for you or your company: ensuring compliance with all HIPAA privacy and security obligations.
Congress passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to protect and secure health care information, while promoting the standardization of health information collection and exchange. Later, in response to reports of lax enforcement of HIPAA rules, Congress passed the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009. HITECH requires audits, increases penalties, and makes sweeping changes to enforcement of HIPAA obligations that became effective with the Final Rule.
On September 23, 2013, the Final Rule became effective. As of this date, not only must all “covered entities” (health plans, health care clearinghouses, and medical providers) comply with HIPAA regulations, but liability for compliance also extends directly to all “business associates” of these covered entities (any person or business that performs services for or on behalf of a covered entity that may involve the use or disclosure of protected health information).
The “Chain” of Compliance
It is important for any business to determine if it falls within the “chain” of compliance. The Final Rule requires that all business associates and subcontractors down the “chain” from a covered entity meet the multitude of complex HIPAA requirements. Common examples of business associates and subcontractors down the “chain” from covered entities include: businesses involved in claims processing, data analysis or billing services; and service providers, such as law firms, accounting firms, consultants, data storage or entry companies, shredding services, courier services, expert witnesses, and others if the work deals directly with the use or disclosure of protected health information. A business may not claim lack of knowledge as to HIPAA applicability and requirements as a defense in order to avoid audit and penalties.
Business Associate Agreements and Documentation
The Final Rule establishes new and burdensome documentary obligations on various types of organizations. All covered entities must also have a HIPAA-compliant business associate agreement in place with all business associates in the “chain” of compliance. In turn, all business associates of covered entitles must also have a HIPAA-compliant business associate agreement in place with any subcontractor or service provider that may come into contact with protected health information. Not all agreements are created equal, and businesses are well advised to ensure that the utilized business associate agreement satisfies HIPAA's complex requirements.
Direct Audits by Department of Health and Human Services
The Final Rule requires HHS to conduct periodic audits of covered entities and business associates. In the past, business associates and subcontractors of covered entities were not subject to direct audit and penalties by HHS, but the Final Rule makes business associates directly subject to audit and potential penalties, independent from covered entities.
In addition to empowering HHS to audit business associates and subcontractors directly, the Final Rule also provides substantial increases to penalties for violations. Depending on the severity of the violation, HHS may levy fines of up to $50,000 per violation (that's for each discrete protected health record—imagine a potential security breach affecting multiple patients and/or multiple health records!) with a maximum of 1.5 million dollars in penalties per calendar year. In addition, in certain cases, criminal penalties of up to 10 years imprisonment and fines of up to $250,000 may be imposed upon individuals, such as directors, employees, or officers of covered entities.
All entities are advised to contact a well-versed legal professional to review HIPAA compliance considerations if you or your business(es) are covered entities, business associates of a covered entity, or subcontractors down the chain from a covered entity. Best practice is to hire an outside law firm and/or HIPAA consultant to conduct a full-service HIPAA review, including the following:
- Risk analysis of existing privacy and security safeguards;
- Evaluation of gaps in privacy or security;
- Suggestions for implementing procedures to address any privacy or security gaps;
- Examination of all required and addressable safeguards contained in the HIPAA Security and Privacy rules;
- Draft or review comprehensive written company policies and procedures for HIPAA compliance;
- HIPAA training for all employees (with written materials); and
- (Perhaps most important) draft or review a business associate agreement for use with all business associates and subcontractors that may use or disclose protected health information.
Farhang & Medcoff has formed a team of knowledgeable attorneys and technical staff to help clients become or confirm compliance with the HIPAA Omnibus Final Rule. Roscoe Mutz, an attorney in Farhang & Medcoff's Tucson office, is experienced in HIPAA-related matters and happy to help you. Please contact Roscoe with any HIPAA concerns or to schedule a full-service HIPAA review.