The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) introduced Privacy and Security regulations to protect protected health information (“PHI”). HIPAA was primarily directed at healthcare providers, health care clearinghouses or health plans (such as an insurance company), which are referred to as covered entities (“CE”). As part of the American Recovery and Reinvestment Act of 2009 the Health Information Technology for Economic and Clinical Health Act (“HITECH”) expanded the reach and penalties related to HIPAA compliance. Two of the key areas where HITECH impacts companies’ HIPAA compliance relate to the requirements of Business Associate (“BA”) and the requirement for federal breach reporting requirements for HIPAA CE’s and BA’s.
HIPAA initially required CE’s to comply with the Privacy and Security rules, while the BA was not required to comply with HIPAA. However, the CE was required to contractually obligate the BA to protect and secure the PHI that was shared with the BA. HITECH extended the Privacy and Security requirements of HIPAA to the BA so now the CE and BA are required to comply with HIPAA. This change has an impact on both the CE’s and BA’s HIPAA compliance. For the CE, previously drafted contracts that required BA’s to protect the PHI shared with them should be reviewed in light of HITECH to determine if language should be included to require HIPAA compliance. In addition, the BA’s are now required to comply with HIPAA, which necessitates a review of their current controls and processes against the requirements of HIPAA and to remediate any gaps between their current processes and the HIPAA requirements.
HITECH also introduced the requirement for both CE’s and BA’s to develop a breach notification procedure to follow if a breach occurs that “compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.” HITECH applies specific definitions of a breach, provides for exceptions to the reporting requirements and defines specific reporting requirements based on the type and magnitude of the breach. CE’s and BA’s should review their current incident response procedures and/or breach notification procedures to ensure they comply with the requirements of HITECH.
Maintaining compliance with regulatory controls requires continuous monitoring of published guidelines. CE’s and BA’s should review the requirements of HITECH against their current HIPAA compliance program to ensure ongoing compliance.