The post below is a guest blog from Lindsey Surratt who serves as Compliance Officer for CAI’s employee benefits partner, HCW Employee Benefit Services.
Until 2009, most employers had little to worry about complying with the privacy standards of HIPAA, short for the Health Insurance Portability and Accountability Act, which protects the confidentiality of individuals’ health records. Even if employers contracted as business associates with healthcare providers and other similar entities, they were exempt from following HIPAA regulations because they were not regulated by the U.S. Department of Health & Human Services’ Office of Civil Rights, which enforces HIPAA.
But the passage of the HITECH Act three years ago has widened HIPAA data privacy and security requirements to include business associates, such as accounting firms, billing agencies, law firms and other groups and individuals that provide services to the entities covered under HIPAA. HITECH, which stands for Health Information Technology for Economic and Clinical Health Act, broadened the coverage area as part of the move to electronic health records, or EHRs, in anticipation of the passage of the Affordable Care Act’s implementation in 2014.
Now, business associates can face the same penalties from the government as employers, healthcare providers, and other covered entities. This includes monetary penalties that are mandatory for violations involving “willful neglect.” Additionally, under the HITECH Act, the Department of Justice (DOJ) may pursue criminal penalties for a violation that rises to the level of criminal activity. If the DOJ declines to act on a HIPAA violation, the Office of Civil Rights may pursue civil penalties for that same violation under HITECH.
Not all access or use of protected health information by a business associate’s employees is considered a breach resulting in penalties under HITECH. For example, any unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a business associate is not a violation of HITECH if it occurred inadvertently or in good faith and within the course and scope of the person’s employment or other professional relationship with the business associate.
Businesses affected by HITECH should assess where their HIPAA compliance efforts stand and consider whether opportunities exist to reduce risks in these areas. They should prepare for the possibility of security breaches and even an audit, while at the same time implementing basic physical safeguards such as locking personnel files.
We are ready to help you identify what steps you need to take to keep protected health information secure, particularly as employers become more involved in the health of their employees and more EHRs are implemented by healthcare providers. In addition to our in-house compliance resources, we can also assist you in determining if there are any external HIPAA compliance tools that might fit your organization’s needs. If you have further questions about whether your business is affected by HITECH and what steps to take if that is the case, please comment!
Photo credit: iStock