Entities covered by the Health Insurance Portability and Accountability Act (HIPAA) must have agreements in place with the business associates with whom they share protected health information, such as billing companies and consultants. However, prior to the recent passage of the Health Information Technology for Economic and Clinical Health Act (HITECH), if a health care provider had been asked if a business associate was "high tech," the answer would have been based on the business associate's use of the latest technology.
Now, "high tech" means compliance with HITECH. Beginning on HITECH's effective date of February 12, 2010, business associates must comply with the same HIPAA Security Rule that applies to health care providers and other HIPAA covered entities. The Security Rule requires parties to implement administrative, physical and technical safeguards to protect the integrity, confidentiality and availability of electronic protected health information (or electronic PHI).
Moreover, all HIPAA covered entities and business associates should amend their existing business associate agreements. Some of the new requirements are innocuous, such as requiring the business associate to name a HIPAA Security Officer. However, business associate agreements also need to be amended to address the following:
1. The prevention and detection of security violations involving electronic PHI, including an examination of user activity of information systems that contain or use electronic PHI;
2. Work force access to electronic PHI and facilities where electronic PHI is stored;
3. The authorization granted to software and persons to access electronic PHI;
4. The reporting and mitigation of known or suspected security incidents;
5. The business associate's response to emergency situations that damage or render inoperable systems that store electronic PHI;
6. The receipt and removal of electronic data storage devices (which contain electronic PHI) from the business associate's secure facility; and
7. The use of appropriate safeguards that guard against unauthorized access to electronic PHI being transmitted over an electronic communication network.
In addition, business associates should review their security policies and procedures to confirm their compliance with the HIPAA Security Rule, because, after February 12, 2010, business associates will be subject to the same civil and criminal penalties that currently apply to HIPAA covered entities, namely civil fines from $100 per incident and $25,000 in the aggregate per year to $50,000 per incident and $1.5 million in the aggregate per year, and criminal penalties up to $250,000 per incident and up to ten years in jail.