EVERYONE IS A BUSINESS ASSOCIATE
HITECH confirmed that business associates are under the direct application of HIPAA, particularly the Security Rule Administrative Physical and Technical Safeguards. In the newest rule, HHS makes it clear that all business associates or subcontractors that access PHI are subject to HIPAA as business associates. It is also clear that this rule applies “down the chain” to subcontractors, etc.
What does this mean? – At the very least:
1. You will need to know all of the subcontractors and business associates of your direct business associates;
2. You will need adequate assurance that they have executed proper business associate and privacy agreements;
3. Any entity that has access to your patients’ PHI, whether a cloud provider like Amazon, or an online backup service like Carbonite or Mozy or anyone else, will need to sign a business associate agreement with you; and
4. You will have to show that you have performed due diligence with regard to the business associates and their privacy and security efforts.
FEDERAL PRISON FOR IDENTITY INFORMATION THIEF
A Florida hospital emergency room clerk has been sentenced to twelve months and one day in federal prison for improperly accessing PHI. He had been accused of accessing over 750,000 EHRs, copying and selling information of over 10,000 motor vehicle accidents. This gentleman also faces an additional two year term of supervised release while his wife and others in the case await sentencing.
Insider threats continue to be one of the most damaging PHI breach threats because of the specific intent to obtain information from PHI. When compared to someone simply stealing a car with an unencrypted laptop with PHI in it, the likelihood of the insider obtaining and actively using the PHI is much higher.
There is also no report yet on what penalties the Florida hospital will pay or suffer. One wonders what periodic review measures and security measures the hospital had in place that would allow this sort of PHI data mining to occur for several years without detection.
SAMPLE BUSINESS ASSOCIATE AGREEMENT FROM HHS
HHS has just published language which it suggests would be suitable for revised business associate agreements.
This language is simply intended to be inserted in an overall agreement unlike the initial language offered by HHS several years ago which was clumsily written, but intended to be the entire agreement.
If you would like to see HHS’ sample language, let us know and we will be glad to furnish it to you. If you would like any advice with regard to updating your NoPP or business associate agreement, please contact us.
AFFORDABLE CARE ACT FAQS
If you think the Affordable Care Act is complex, the United States Department of Labor, on January 24, 2013, issued its eleventh set of FAQs about Affordable Care Act implementation. There is no indication how many future additional FAQ publications will occur. If you would like to review this, it is available on the United States Department of Labor’s website under Employee Benefits Security Administration, Frequently Asked Questions.
E-COPIES OF EHR FOR PATIENTS
The recently finalized HIPAA Rules make it clear that a patient has the right to receive an electronic copy of their health data upon request. The patient also has the right to require that such data be sent to any person or designated entity including online personal health record sites or mobile applications.
The new rule eliminates the provision that previously allowed 60 days to fulfill record requests. The new standard requires entities to provide access to all paper and electronic PHI within 30 days of the request with a onetime option to extend the period for an additional 30 days.
CAN THE STATES KEEP UP?
As of February 1, only eleven states have taken steps to implement new consumer safeguards required under the Affordable Care Act. These reforms require the states to implement statutes, rules and regulations on seven areas related to reform, including a ban on coverage waiting periods, coverage for people with preexisting medical conditions and limits for out of pocket consumer costs in certain cases. Indiana, Illinois and Kentucky are included in the states which have taken no action as of this date. While states who do not establish their own insurance exchange/market places can assume that some of the protections will be available through the federally run exchange/market place, the real effect will be the entry of the federal government into insurance regulation that has previously been limited to the states.
This newsletter is edited by Paul Wallace of Jones • Wallace, LLC, a member of the American Bar Association Healthcare Law Section and the American Health Lawyers Association who has been representing physicians and healthcare practices for over 25 years. Mr. Wallace assists physicians in health practices in contract items, federal legal compliance, creation of practice entities, estate and wealth planning and similar issues. Please feel free to call if you have any questions about this newsletter or any other matter at (812) 402-1600 or email@example.com.