Business Associates Get HIPAA AlertProposed Rule Clarifies Their Responsibilities
The proposal is designed to ensure that patients' rights are protected as more health records are digitized and exchanged. And a crucial component, security experts say, is protecting that information everywhere that it's used.
Chain of Trust"It's the whole chain of trust that has to be completed," stresses Kate Borten, president of The Marblehead Group.
"At first glance, the most impactful area in the proposal may be the new requirements relating to business associate agreements," adds Lisa Gallagher, senior director, privacy and security, at the Healthcare Information and Management Systems Society.
"The depth of the changes in the business associate rules was a surprise," adds Dan Rode, vice president of policy and government relations at the American Health Information Management Association.
The "notice of proposed rulemaking" issued July 8 also includes detailed provisions granting patients access to their information and enabling them, in certain cases, to restrict who can access or use it.
The Department of Health and Human Services' Office for Civil Rights prepared the proposed rule, which is required under the Health Information Technology for Economic and Clinical Health Act, also known as the HITECH Act.
Clear GuidanceThe proposal makes it crystal clear the HIPAA privacy and security rules' requirements would apply to business associates -- companies that provide services to "covered entities," such as hospitals, clinics and insurers, and have access to protected health information.
Plus, it would take the significant additional step of requiring business associates to sign agreements with their subcontractors to ensure they also comply with HIPAA.
The exhaustive detail in the proposed rule dealing with business associate's requirements was sorely needed, says Rebecca Herold, owner of Rebecca Herold & Associates. In advising hundreds of business associates about compliance issues, Herold says she's been frustrated that many have mistakenly concluded that neither HIPAA nor the HITECH Act required them to meet the same compliance standards as their covered entity partners.
"The rule makes it much clearer that the covered entities' responsibilities must go far beyond just having a business associate agreement," Herold stresses. Instead, hospitals, clinics and others must work closely with their business partners to make sure they're carefully following the HIPAA privacy and security rules, she adds.
"There have been so many breaches that have been the result of a lack of security controls within business associates and their subcontractors that HHS wanted to make sure they made it very clear that these organizations were responsible for HIPAA compliance," she notes.
Broader DefinitionHerold praised the proposed rule for broadening the definition of business associates. The revised definition includes vendors of personal health records software, health information exchanges, as well as "patient safety organizations," which receive reports on safety events from healthcare providers. But a PHR vendor would not be considered a business associate unless it had a contract with a covered entity to offer a PHR to patients as part of the covered entity's electronic health record.
Including patient safety organizations, Herold says, "helps fill an important gap in privacy protections that has emerged over the past few years."
Other examples of business associates, as defined earlier under HITECH, include: third-party administrators, pharmacy benefit managers, claims processors, transcription companies, lawyers and accountants, among others.
Addressing UncertaintyBy spelling out that business associates' subcontractors also must be HIPAA-compliant, the rule helped resolve uncertainty, Borten says. "I have lots of clients who are business associates, and they all use subcontractors, and there wasn't, until now, the sense that those subcontractors had to comply just as the business associate does."
Adding subcontractors to the list of those who must comply "makes sense" because it closes the security loop, including everyone who might access protected health information, adds Rode of AHIMA.
Federal regulators will accept comments on the proposed rule through Sept. 13 before making their final revisions.