Just as the healthcare industry came up to speed on the regulations defined in The Health Information Technology for Economic and Clinical Health (“HITECH”) Act, additional modifications are being proposed. These proposed rules focus on expanding obligations and penalties for covered entities (CEs) to now include business associates (BAs).
So why is this significant? For two reasons. First, combined with the HITECH Act, the new rules will expand both the application of certain HIPAA Security and Privacy requirements and penalties to business associates. Secondly, the proposal expands the definition of BA to include subcontractors who handle health information. Subcontractors would be considered BAs and are subject to direct liability under the HIPAA rules.
Many provider networks, physician practices and insurance plans work with outside vendors to manage their businesses and patient health information. Many of these providers are BAs who use sub-contractors. Under the proposed new regulations, these subcontractors must also be HIPAA compliant and follow the HITECH regulations or face penalties. This also means that CEs could be held liable when a BA does not comply.
How well does your company know its business associates…and the businesses that they do business with? As health care organizations expand their operations, it is imperative that due diligence is performed to avoid potential liability stemming from non-compliant vendors. Some privacy professionals feel the best way to prevent liability under the new requirements is to be proactive about adhering to compliance standards.
Companies should consider actively working with their vendors to address the stringent HITECH requirements and ensure that anyone that falls under the BA category is aware of the full implications as it relates to HITECH and HIPAA. The more proactive you are the better chance you have of avoiding potentially heavy fines due to the ignorance of a BA that was not aware of the law.