Are you a business associate of a covered entity as defined by HIPAA? If so, you need to read the following excerpt from the American Recovery and Reinvestment Act.
PART 1—IMPROVED PRIVACY PROVISIONS AND SECURITY PROVISIONS
SEC. 13401. APPLICATION OF SECURITY PROVISIONS AND PENALTIES
TO BUSINESS ASSOCIATES OF COVERED ENTITIES;
ANNUAL GUIDANCE ON SECURITY PROVISIONS.
(a) APPLICATION OF SECURITY PROVISIONS.—Sections 164.308,
164.310, 164.312, and 164.316 of title 45, Code of Federal Regulations,
shall apply to a business associate of a covered entity in
the same manner that such sections apply to the covered entity.
The additional requirements of this title that relate to security
and that are made applicable with respect to covered entities shall
also be applicable to such a business associate and shall be incorporated
into the business associate agreement between the business
associate and the covered entity.
(b) APPLICATION OF CIVIL AND CRIMINAL PENALTIES.—In the
case of a business associate that violates any security provision
specified in subsection (a), sections 1176 and 1177 of the Social
Security Act (42 U.S.C. 1320d–5, 1320d–6) shall apply to the business
associate with respect to such violation in the same manner
such sections apply to a covered entity that violates such security
Do I have your attention now?
For the past 6 years only covered entities such as physicians, health plans or healthcare information clearinghouses were required to comply with the infamous HIPAA security and privacy rules. Organizations that may have had access to protected health information (PHI) but were not covered entities (CE) were not required to follow HIPAA standards. Most business associate agreements (BAA) stated only that the BA would protect the information they obtained from or managed on behalf of a CE with due diligence. ARRA has changed the rules of the game. I'm actually surprised it took this long.
If you are a business associate of a covered entity then you need to prepare to take on some additional risk. Now that a BA is legally bound to the same standards, sanctions and fines for deficiencies are a new reality. Hopefully your business model was to comply with HIPAA from the onset knowing this day would come. If so, great. If not, you will be playing catch up for quite some time.
While there will surely be a ramp up period before heavy enforcement begins, you can be sure there are some examples to be made. Don't be one of them. Get your business leadership together and review your risk assessments, control standards and overall security posture. Even having a nightmare story to tell an auditor who shows up unexpectedly will go over a lot better than no story at all. Guaranteed.