Well, if this doesn't prove my point...
No sooner had I written about the HITECH Act's popularity among readers in 2009 and said that it would continue to be a hot topic this year than I found a guest opinion by Anzen Consulting's Megan Brister and Michelle Gordon, published Wednesday, about the HITECH Act's extension of HIPAA privacy and security requirements to those companies classified as business associates of HIPAA-covered entities.
Pointing to recent research from the Healthcare Information and Management Systems Society, Brister and Gordon note that a significant portion of business associates didn't even know the HITECH Act extended parts of HIPAA to apply to them. (This despite efforts by Goodwin Procter's Jacqueline Klosek and others like her to get the word out.)
According to Brister and Morgan, "business associates" as contemplated by the HITECH Act are companies that:
perform an activity for or assist a covered entity with an activity involving the use or disclosure of individually identifiable health information. These activities may include claims processing, laboratory testing, data analysis, quality assurance or billing, among others.
Prior to the HITECH Act, these businesses were responsible for complying with parts of the HIPAA privacy and security rules, but they were responsible to the HIPAA-covered entities with which they work. The health care organizations would ensure the requirements were met by enforcing their agreements with the business associates.
Now, however, the Department of Health and Human Services' Office of Civil Rights can enforce the rules directly against the business associates. Brister and Morgan note that civil penalties for violations can range from $100 to $50,000 to a maximum of $1.5 million a year. Moreover, the Department of Justice also has the option to pursue criminal penalties.
Brister and Morgan set out seven steps that business associates should take to move toward compliance with the HITECH Act. Five of those are as follows.: