Pratum Blog

Are you a business associate of a covered entity as defined by HIPAA? If so, you need to read the following excerpt from the American Recovery and Reinvestment Act.

 

PART 1—IMPROVED PRIVACY PROVISIONS AND SECURITY PROVISIONS

 

SEC. 13401. APPLICATION OF SECURITY PROVISIONS AND PENALTIES

TO BUSINESS ASSOCIATES OF COVERED ENTITIES;

ANNUAL GUIDANCE ON SECURITY PROVISIONS.

(a) APPLICATION OF SECURITY PROVISIONS.—Sections 164.308,

164.310, 164.312, and 164.316 of title 45, Code of Federal Regulations,

shall apply to a business associate of a covered entity in

the same manner that such sections apply to the covered entity.

The additional requirements of this title that relate to security

and that are made applicable with respect to covered entities shall

also be applicable to such a business associate and shall be incorporated

into the business associate agreement between the business

associate and the covered entity.

 

(b) APPLICATION OF CIVIL AND CRIMINAL PENALTIES.—In the

case of a business associate that violates any security provision

specified in subsection (a), sections 1176 and 1177 of the Social

Security Act (42 U.S.C. 1320d–5, 1320d–6) shall apply to the business

associate with respect to such violation in the same manner

such sections apply to a covered entity that violates such security

provision.

 

Do I have your attention now?

For the past 6 years only covered entities such as physicians, health plans or healthcare information clearinghouses were required to comply with the infamous HIPAA security and privacy rules. Organizations that may have had access to protected health information (PHI) but were not covered entities (CE) were not required to follow HIPAA standards. Most business associate agreements (BAA) stated only that the BA would protect the information they obtained from or managed on behalf of a CE with due diligence. ARRA has changed the rules of the game. I'm actually surprised it took this long.

If you are a business associate of a covered entity then you need to prepare to take on some additional risk. Now that a BA is legally bound to the same standards, sanctions and fines for deficiencies are a new reality. Hopefully your business model was to comply with HIPAA from the onset knowing this day would come. If so, great. If not, you will be playing catch up for quite some time.

While there will surely be a ramp up period before heavy enforcement begins, you can be sure there are some examples to be made. Don't be one of them. Get your business leadership together and review your risk assessments, control standards and overall security posture. Even having a nightmare story to tell an auditor who shows up unexpectedly will go over a lot better than no story at all. Guaranteed.


Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.