After the HIPAA law was passed, the HITECH Act passed in 2009 strengthened some of the already existing rules under HIPAA. Later, the Department of Health & Human Services released interim final rules regarding the strengthened regulations. Let us list down some of the major developments that modified the already existing HIPAA rules and best practices for maintaining compliance.
1. Definition of a business associate: The final interim rule expanded the definition of a “business associate” as companies that perform work on behalf of a healthcare provider or organization and who deal with the use of personal health information. Traditionally, the rule pertained to various healthcare professionals such as pharmacy benefits managers for insurance plans, billing companies and legal services, but it is now expanded to also cover vendors who contract with healthcare providers or organizations to provide personal health records, entities who are in contact with e-prescribing systems and, most importantly, subcontractors who act on behalf of direct business associates.
2. Accounting of disclosure. Healthcare providers and organizations are now required to account for each disclosure of personal health information. Traditionally, clinicians and organizations were required to keep a detailed list of disclosures dating back six years but the rule now requires healthcare providers to provide a list of disclosures going back three years. Additionally, providers who use electronic health records must include in the list of disclosures details about treatment, payment and healthcare operations. Additionally, healthcare providers are required to contact affected patients after it experiences a security breach.
3. HIPAA violation enforcement. The business associates are now liable to face stricter penalties for non-compliance. Violation of some HIPAA rules can result in devastating civil and criminal penalties. Penalties for even individuals who were not cognizant of the violation they committed can be anywhere between $100 to $50,000 per violation.
