Basic information regarding the changes in HIPAA that will become effective in Mar 2013. This presentation is designed as an introduction to Business Associates.
3. Title I Portability: guarantees health coverage
when employees change jobs
Title II Accountability: Also known as the
Administrative Simplification establishes National
Standards for the protection of health data
◦ Privacy
◦ Security
◦ Enforcement
◦ Electronic Transactions
4. Covered Entity: refers to three specific groups that
normally transmit health information electronically:
◦ health care providers
◦ health plans
◦ health care clearinghouses
Business Associate: Person/agency who performs
a function or activity for or on behalf of a covered
entity that involves the use of patient information
5. Addresses a number of rules and incorporates them into
itself as the definitive requirements for compliance.
1. Implemented changes to HIPAA that were mandated by the
2009 Health Information Technology for Economic and
Clinical Health Act (HITECH);
2. Finalized the 2009 Enforcement and Breach Notification
Interim Final Rules; and
3. Modified HIPAA's Privacy Rule to strengthen the
protections for genetic information required under the
Genetic Information Nondiscrimination Act of 2008
(GINA).
6. Business Associate definition expanded to include
any entity that creates, receives, maintains or
transmits PHI on behalf of a Covered Entity or an
organized health care arrangement.
Broadened the definition of Business Associate to
include any downstream subcontractors of
Business Associates
Liability and compliance rules expanded to include
BA and its subcontractors
7. “All those entities that create, receive, maintain, or
transmit PHI on behalf of a covered entity.”
◦ Data storage company that stores physical or electronic
data;
◦ Software vendors
◦ Insurance sales agents and vendors
◦ Professionals (lawyers, consultants, lawyers)
“It is what you do, not what you call yourself, that
determines whether you are a Business Associate”
9. Analyze whether you are now considered
Business Associates;
Assess whether your subcontractors/vendors are
considered Business Associates;
Conduct audits and gap analysis;
Revise/Implement Policies and Procedures;
Revise/Implement Agreements;
Train employees.
10. Posted in Federal Register: Jan 25, 2013
Effective date: March 26,2013
Compliance date: September 23, 2013
11. Do not delay actions
Enforcement date is Sep 2013
◦ Compliance steps may take over 6 months
If in doubt consult an expert
Dr. Jose I. Delgado is the President and CEO of Taino Consultants Inc.,
consulting firm that focuses on healthcare business start-ups, compliance and
operations. Dr. Delgado can be contacted at
DrDelgado@TainoConsultants.com.
Editor's Notes
The Health Insurance Portability and Accountability Act of 1996 ( HIPAA ; Pub.L. 104-191 , 110 Stat. 1936, enacted August 21, 1996) was enacted by the United States Congress and signed by President Bill Clinton in 1996. It was sponsored by Sen. Nancy Kassebaum (R-Kan.). Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, included Administrative Simplification (AS) provisions (Title II) that required national standards for electronic health care transactions and code sets, unique health identifiers, and security. AS also covered the areas of Privacy, Security, Enforcement and Electronic Transactions. The Privacy Rule set national standards for the protection of individually identifiable health information while the security rule emphasized the protections of information in electronic format. The enforcement rule established the procedures and penalties in case of unauthorized releases.
The term "covered entity" under the HIPAA Privacy Rule refers to three specific groups, including health plans, health care clearinghouses, and health care providers that transmit health information electronically. Covered entities under the HIPAA Privacy Rule must comply with the Rule's requirements for safeguarding the privacy of protected health information. Below is a more detailed list of those who fall under the covered entity category under HIPAA. Health Care Providers This includes all health care providers, regardless of practice size, provided that they transmit health information electronically. The specific electronic transactions subject to this rule are those that are covered under the HIPAA Transactions Rule. Providers subject to the Privacy rule include: o Doctors, o Clinics, o Psychologists, o Dentists, o Chiropractors, o Nursing Homes, and, o Pharmacies. Health Plans Medical, Dental, and Vision Plans HMOs Medicare and Medicaid Medicare+Choice and Medicare Supplement Insurers Long-Term Care Insurers (excluding nursing home fixed-indemnity policies) Veterans Health Plans Company Health Plans Exceptions include: o A group health plan with less than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity; o Government-funded programs whose principal purpose is not providing or paying the cost of health care; o Government-funded programs whose principal activity is directly providing health care or the making of grants to fund the direct provision of health care; and, o Certain types of insurance entities such as those providing only workers' compensation, automobile insurance, and property and casualty insurance. Health Care Clearinghouses Entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa. This includes: o Billing Services, o Repricing Companies, o Community Health Management Information Systems, and, o Value-added networks and switches if these entities perform clearinghouse functions.
Amendments to the Enforcement Rule: Increased Penalties and Fewer Defenses Even for covered entities that have long been subject directly to HIPAA regulations, the stakes will now be higher. The HITECH Act raised the maximum penalty for HIPAA violations to $50,000 per violation and $1.5 million for a group of identical violations. 31 These increased penalties will now apply to violations by covered entities and business associates alike. The revised Enforcement Rule limits the affirmative defenses available to an entity that violates HIPAA. A complete defense is available only if the violation was not due to willful neglect and was corrected within thirty days of when the entity knew, or by exercising “reasonable diligence” would have known, of the violation. This means that an entity’s reasonable lack of knowledge of a violation, alone, will no longer constitute a complete defense, which it had in the past. Moreover, an employee or business associate’s knowledge of a violation may be imputed to a covered entity. In addition, business associates will become directly liable for their breaches. HIPAA requires BAAs to provide that business associates must notify the covered entity upon discovery of any violation. The new rules also make business associates directly liable for the failure to provide such notice. A covered entity or business associate is non-compliant if it knows “of a pattern of activity or practice of [its business associate or subcontractor] that constituted a material breach or violation of the [BAA],” unless the superior either took “reasonable steps” to cure the breach or end the arrangement. 8 Even when a subordinate’s potentially violative activity is not known, the supervising authority may be liable for the violation if the subordinate was acting as the “agent” of the covered entity or business associate. 39