September 23, 2013 is the deadline for compliance with the new Health Insurance Portability and Accountability Act (HIPAA) Privacy regulations under the Health Information Technology for Economic and Clinical Health (HITECH) Act. The new rules will affect organizations that handle health-related information, as well as medical clinics and companies that work with them. The regulations also extend the federal healthcare privacy and security laws to embrace a whole new range of companies that service the healthcare industry. Even non-medical professionals may be affected, such as IT consultants working for companies that offer services to hospitals.
The regulations are designed to enhance patients’ privacy rights and protection. They have become increasingly enforceable, regardless of whether the information is held by a healthcare provider, health plan, or their business associates. As a result, any business that handles protected health information (PHI) must comply with the new regulations starting September 23.
Clinics, hospitals, and health insurance companies are generally considered “covered entities” under HIPAA, while a business that performs services for a covered entity and may handle PHI is referred to as a “business associate”. At the same time, a business associate may also be a company working for or with another business associate and may have access to PHI. For the most part, business associates are directly affected by the HITECH Act which governs the security and disclosure rules relating to the technological aspects of patient records, including where and how data can be stored as well as the consequences of data breaches.
Business associates are required to have a Business Associate Agreement (BAA) in place for each covered entity with whom it does business by the indicated deadline. A BAA is also required for other business associates the company may be working with.
To become HIPAA compliant, business associates must develop policies that document how they handle client data, sign BAAs with all covered entities (they have as clients) as well as with other business associates.
Documentation is the most important aspect of HIPAA compliance for business associates and covered entities. To ensure all is done right, recordkeeping must show how the rules have been complied with.
If you need help in assessing the impact of the new HIPAA regulations on your business, please give us a call. Please be advised that the information in this article is provided on an informational basis and does not constitute nor substitute proper legal advice.