HIPAA/HITECH Compliance Deadline Looming
As most practices are already aware, September 23, 2013 is the deadline for health care providers and other entities to update many – if not most – of your business associate agreements along with updating your notice of privacy practices. During the review of your privacy notices and business associate agreements, practices should not only be looking into Security Rule compliance of their business associates, but also at their own Security Rule compliance.
Deadline for Business Associate Agreements
Covered entities have until September 23, 2013 to get their business associate agreements updated and ensure compliance with the security rule. However, if a practice has a written agreement in place prior to January 25, 2013, and the agreement complied with regulatory standards at that time, so long as the agreement is not renewed or modified between March 26 and September 23, 2013, the agreement will be deemed compliant until the earlier of (i) the date it is renewed or modified; or (ii) September 22, 2014. Those business associate agreements that contain an “automatic renewal” provision will not count as a renewal under the rule and will not end the deemed compliance period.
Changes to Business Associate Agreements
The Department of Health and Human Services regulations discuss certain provisions that need to be included. Your business associate agreements must now require your business associates to:
- Use appropriate precautions to prevent unauthorized use or disclosure of personal health information;
- Report to the covered entity when there has been a breach of privacy;
- Conduct a risk assessment to determine whether a breach of a patient’s privacy has occurred;
- Comply with individual requests for copies of PHI;
- Destroy or return all PHI received from or created on behalf of a covered entity when feasible;
- Ensure that all subcontractors that will receive access to PHI will agree to the same restrictions that apply to the business associates regarding PHI;
- Restrict their ability to sell and use PHI for marketing purposes; and
- Authorize the covered entity to terminate the contract if the business associate violates the material terms of the agreement.
These provisions seem clear, right? Well, that is until the lawyers get to them. Within these provisions, there is still “wiggle room”. You can include more clarity – and therefore more protection – in your business associate agreements. For example, more protective agreements (at least for a covered entity) could include:
- A shorter breach notification period (i.e., immediate notification or within 1-5 days of discovery);
- An indemnification clause for breach expenses;
- Involvement in risk assessment with your business associate;
- Cooperation in HIPAA investigations;
- Audit rights; and
- Additional – and more individualized – security representations.
Practices should assess whether they need additional protections, such as those mentioned above. Practices should also be careful of business associate agreements provided by the business associate. It may include the basics, such as requiring breach notification within 30 days or provisions that allow the business associate to de-identify data and use PHI for management and administration or data aggregation.
Steps to Ensuring Security Rule Compliance
In reviewing your business associate agreements, it’s a good idea to review your own security rule compliance and inquire about that of your business associates. In looking at your own compliance and that of your business associates, you should ask the following questions:
- Have you conducted a formal security risk assessment?
- What policies and procedures have you implemented with respect to Security Rule standards?
- What security training have you provided to workforce members?
- Have you amended your business associate agreements with your business associates/subcontractors?
- Have you appointed a Security Officer to oversee Security Rule compliance efforts?
These questions are a good start in assessing Security Rule compliance.
Notice of Privacy Practices Updates
Practices must make several changes to their notice of privacy practices, including a notification: that you will notify patients in the event a breach of unsecured PHI; that you cannot sell PHI absent patient authorization; and that there are some restrictions on releasing information to a health plan if the patient is paying out of pocket.
Many practices also maintain their notices on the website. If so, don’t forget to get to update your website with your revised notice!
As we’ve discussed in previous articles, HHS has ramped up its auditing of covered entities related to their compliance with the Privacy and Security Rules. Practices should be looking at these issues now, before an audit occurs. If you need help with any of these issues, please contact Wayne Kinkade or David Briggs at Saalfeld Griggs.