Business associates want to know. Covered entities want to know.
What do I do in order to comply with the new HIPAA laws in the Health Information for Economic and Clinical Health (HITECH) Act?
Actually, they have to know.
Compliance deadline is February 18, 2010, but many questions linger.
During a recent HCPro audio conference called Business Associates and Covered Entities: Adapt Contracts to Comply With New HIPAA Law, attendees asked plenty of questions:
- Which is the business associate when a medical device company sales representative is in the OR–the sales rep or the company?
- Can a covered entity, like a Medicare-certified hospice program, also be considered a business associate if it works on behalf of another covered entity?
- Will there be some guidance regarding whether updating the existing business associates is going to be required?
The questions probably won't stop any time soon. However, case-by-case scenarios aside, there is an overlying message to all parties affected by the new HIPAA laws.
"The first thing both the covered entities and the business associates should do is try to understand the new requirements, and analyze the gaps between their existing policies, procedures and practices, and what they should be doing–both under HITECH, and anything they’ve missed or avoided under HIPAA," said John R. Christiansen of Christiansen IT Law in Seattle, one of the speakers on the program.
Chris Apgar, president of Portland, OR-based Apgar & Associates, LLC, also presented tips for compliance during the audio.
The next step is to map out your expectations regarding contract revisions. The last-minute approach will overwhelm each party.
"This could make for an unhappy holiday season and cancelled ski trips for folks in organizations which don’t start this process in the very near future," Christiansen said.
Christiansen serves as chair of the newly formed HITECH Business Associates Task Force of the American Bar Association’s Health Law Section and the HITRUST Business Associates Working Group of the Health Information Trust Alliance.
After hearing the responses during and after the audio conference, Christiansen said some covered entities and BAs need to get past some basic denials:
HITECH covers more than EHRs. The HITECH requirements do not just apply to EHRs or organizations using EHRs. "HITECH is intended in substantial part to promote implementation of EHRs," Christiansen says. However, its requirements–particularly BAs complying with the HIPAA Security Rule and contract revision between covered entities and BAs–apply without regard to EHRs.
No extensions from Congress. The compliance date on the HIPAA Security Rule and contract revisions is February 18, 2010 and is "written in the legislation, which means only Congress has the authority to change it. I think given everything else on Congress’ docket these days, relief on this point–which would be opposed by the privacy community and not understood by most other people–will not happen," he says.
HHS will look for violations. Congress wants enforcement of HIPAA; it wrote into the new laws enhanced civil penalties, expanded regulatory authority, and auditing requirements. "You can’t just assume noncompliance won’t matter because nobody’s looking," Christiansen says. "Congress wants [HHS] to look, and there are increased financial incentives for federal and state regulatory authorities to pursue penalties."