by John Rossheim
As the Department of Health and Human Services (HHS) polishes the rules that will give HITECH full force, relationships between covered entities and their vendors are changing, at least in the form of revised agreements that require those vendors, or business associates, to fully comply with HIPAA’s privacy and security protections. The consequences for health-care providers vary and are not fully resolved. Yet one thing is clear: Providers face more requirements, with more penalties attached.
Under HIPAA, a business associate is an organization that receives protected health information (PHI) from a health-care provider so that the organization can render a service for the provider; it applies to vendors ranging from nursing homes and home-health agencies, legal and accounting firms, medical transcription and translation firms and even answering services and shredding companies. Under HITECH, “business associates may be subject to the same criminal and civil penalties as covered entities [such as hospitals] if they are found to be in violation of HIPAA’s security or privacy rules,” says Jason Greis, a lawyer with McGuireWoods in Richmond, Va.
HITECH compliance is more than a theoretical issue that causes bureaucratic headaches; breaches of patient data are numerous and substantial. In March 2010, HHS listed 41 instances of security breaches reported by covered entities – including hospitals’ business associates – during just the preceding five months, with one incident affecting half a million patients. Some 19 percent of health-care organizations reported a breach of HITECH and other health-care privacy and security measures in a 2010 survey, up from 13 percent in 2008, according to a HIMSS report.
HITECH Comes with Stiff Fines.
According to some observers, HITECH could be a game changer in terms of enforcement. “HITECH added teeth to the toothless rule that was HIPAA,” writes John Carroll in the April 2010 issue of Managed Care. With civil fines ranging up to $1.5 million per year and the potential for criminal charges, HITECH has moved HIPAA up the compliance priority list for health-care providers and their business associates. State attorneys general may also jump in with their own enforcement actions.
The federal government also brings more resources to bear than it did in the early years of HIPAA enforcement. “HHS now has better funding for audits, and I think they’ll take a tougher stance,” says Dan Aiken, corporate compliance director for the Hospital for Special Surgery in New York. “We’ll see more enforcement, but I don’t know whether it will be an explosive increase,” adds Nathan Kottkamp, a partner with McGuireWoods.
Changing Business-Associate Agreements Is a Start.
How do business-associate agreements – which govern the relationship between health-care providers and their vendors – fit into the picture? HITECH mandates that hospitals renegotiate their contracts with vendors to require the vendors’ compliance with security and privacy rules. As such, business-associate agreements are providers’ chief tool for extending the chain of compliance to wherever their patients’ PHI may travel. But health-care providers would be wise to take further measures to ensure the compliance of their vendors, depending on the stance taken by HHS and enforcement agencies.
Because HITECH was enacted last year, many health-care providers have already revised their business-associate agreements, even though they’re still awaiting guidance and final rules from HHS, according to Kottkamp. “HHS is recognizing that it’s a lot of effort to get these agreements revised, so it’s proposing a one-year grandfathering of existing agreements,” Kottkamp says. However, “new agreements must comply as soon as the rules are finalized.” Final HITECH privacy and security rules are likely to be issued in 2011.
Changing these contracts – which describe the patient-data protections that business associates must provide and what they must do if they discover a breach – is a substantial undertaking, according to attorneys who handle the matter. “Revising these agreements is a big pain in the neck,” says Kottkamp. “And it may expose flaws in providers’ recordkeeping; they may have thought they had all the necessary business associate agreements, but they didn’t.”
Still, some compliance officers say the contract revisions are not a big deal. “We’ve changed our template for business associate agreements to cover the new requirements,” says Aiken of the Hospital for Special Surgery in New York. “I thought some of our business associates might balk, but we’ve had no problems with getting them to sign.”
Establishing Additional Safeguards.
Health-care providers, though, shouldn’t count on being insulated from liability simply by requiring business associates to sign a new, more stringent contract. “HHS would probably say you need to do something beyond just getting business associates to sign revised agreements,” says Kottkamp. “This would be a big challenge.”
For now at least, some compliance executives are dismissing this potential risk. “We don’t audit our business associates” for compliance with HITECH, says Aiken.
Others disagree and favor a proactive strategy with hospitals documenting their own safe handling of protected electronic patient data, including what’s shared with business associates. “It’s good to have a detailed audit trail that includes all the different access points to PHI,” says Robert Rowley, M.D., chief medical officer of Practice Fusion, a San Francisco provider of Web-based EHR software for group practices. “If you house data in-house, you’re on the hook for protecting it,” says Dr. Rowley. “That’s why it’s vital to have a detailed audit trail with all the different access points to PHI, anytime a record is opened or page printed.”
The safeguarding of PHI has still broader value for providers competing for patients. “It’s good for health-care providers to raise the assurance that patient information is being properly protected,” says Aiken. After all, in the HIMSS study, 38 percent of providers said the primary impact of a data breach was on patient satisfaction.
John Rossheim is a writer and editor who covers information technology, careers and other topics in health care.
Related Links:
> Decision Support and Compliance Rolled Into One
> Costs of Noncompliance to Rise
