Last week I engaged in a very interesting tweetversation with David Mortman about when the U.S. Department of Health and Human Services (HHS) needs to get their guidance documents and rules published for the various HITECH Act requirements…
Often the best guidance documents for the HIPAA regulations are found within transcripts from public meetings that the HHS holds.
For interpreting and better understanding of how to apply and comply with the HITECH Act and HIPAA, the proceedings document from the “NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS SUBCOMMITTEE ON PRIVACY, CONFIDENTIALITY AND SECURITY” meeting on February 25, 2009 is very interesting as well as helpful.
There is so much to comment about for these proceedings! I want to pick just one section right now. Here is the first of many excerpts of note which discusses the expansion of the responsibilities for business associates:
“MS. MCANDREW: …the first substantive provision is the 13401, which essentially makes business associates now responsible for adherence to specific provisions in the security rule. These are specified in the law, these are the fundamental must-dos to comply with the security rule. They are in addition to those security rule provisions, this provision makes business associates responsible for compliance with other requirements in the HITECH Act that are placed on covered entities. Then it extends the criminal and civil liabilities for violations, which now just applied to covered entities, to apply directly to business associates for violations of these security provisions, and violations of the HITECH provisions related to security.
There is also a requirement for the issuance of guidance to covered entities on the most effective and appropriate technical safeguards to be used in carrying out their various now security rule compliance efforts. These provisions take effect under the general effective data provisions of the Bill, which is one year after enactment.
MS. GREENBERG: Is the guidance for the business associates or for the covered entities?
MS. MCANDREW: The guidance is essentially for the business associates, but as the rules are now the same for the business associates and the guidance will come from what’s been said to the covered entities.”
“MS. MCANDREW: I will skip over, if I could, to the counterpart of this provision which is on Page 3, 13404, which essentially does the same thing with respect to privacy, although it does it in a much less elegant manner than the security rule. Provisions were extended to business associates, but this will essentially make business associates liable for privacy violations in the same way that covered entities are today responsible for privacy violations. Right now the interpretation is this will probably be violations with regard to the use and disclosure of information. These provisions do not in effect, as is sometimes characterized, turn business associates into covered entities. It does not do that. And business associates are not required to take on the panoply of all the administrative requirements that we impose on covered entities and can hold covered entities liable for violating. They are very specific on the security side, unfortunately less specific on the privacy side, as to what the standard is that business associates will now be held to and liable for. But clearly uses and disclosures of information in violation of the privacy rule will be a liability directly on business associates.
The privacy provisions in business associates also takes effect twelve months from enactment. Again, makes any new requirements from the HITECH Act that are imposed on covered entities also imposed on business associates for the purposes of this new liability.
MS. BERNSTEIN: Where it says the provisions are effective, does this sort of self-actualizing – these are provisions that don’t require regulations to become effective; is that right?
MS. MCANDREW: That is somewhat of a question, it’s a question in debate, so we’ll have to figure it out.
MS. BERNSTEIN: So I’ll have to figure out whether we get to regulate in certain areas or whether we –
MS. MCANDREW: I think our intent is that we would regulate all of these areas. At least that’s our opening gambit.
DR. SUAREZ: On that point there was an earlier question, something about the issuance of proposed regulations based on this. We had actually an interesting discussion about taking this opportunity to really go inside HIPAA privacy and adjust more things than what exist here, it’s required to be changed.
So it is your expectation that a lot of this stipulations in the Bill in the Recovery Act will mean that there will be a proposed set of rules, and the whole rulemaking process will be established or created or?
MS. MCANDREW: Yes, many of these provisions we will go through notice and comment rulemaking to implement. As we go through them you will see many of them carry a variance on the effective dates of when they are to go into place. We are trying now to align all of those dates and see how they all play out, because I don’t think any of us really want to have 22 rulemakings going on overlapping simultaneously. I don’t think – I mean the provisions of this Bill are different than either we got (?) where the legislation directs to modify the rule to do X, Y, and Z. This has none of that ‘thou shall regulate’ to do this.
At the same time, they don’t modify the Social Security Act where HIPAA went in and was codified, except for the enforcement provisions in 1176 and 1177, that’s the only portion of the existing law that they actually changed. They say that he HIPAA remains in effect, except to the extent that it is changed by any of these provisions, and the regulations shall conform now to these new requirements. So I think the best of all possible worlds is that we get these in regulatory form, the changes in regulatory form by the effective date.”
A very important quote for business associates to note:
“this will essentially make business associates liable for privacy violations in the same way that covered entities are today responsible for privacy violations.”
No more saying, “Well, we’re not covered entities so we don’t have to follow HIPAA!” I’ve heard this MANY times while doing over 150 business associate information security and privacy program reviews!
So, in short, Section 13401 essentially makes business associates responsible for complying with the HIPAA Security Rule and Privacy Rule. This provision makes business associates responsible for compliance with other requirements in the HITECH Act that are placed on covered entities, and also extends the criminal and civil liabilities for violations which were just applicable to covered entities. This makes BAs not only accountable and responsible under HIPAA & the HITECH Act, it reinforces it by also providing these requirements within contractual requirements. I see this as helping CEs to include these additional issues within the scope of the required information security and privacy program reviews.
It is interesting to note that the discussion implied that the provisions, while not explicitly part of the HIPAA rules, are still, probably, likely, foreseeably, going to be expected for HIPAA compliance.
So, bottom line, if you are a HIPAA covered entity (CE), or now a business associate (BA) of a CE, you will be expected to be in compliance with these HITECH Act provisions as they modify HIPAA by the established effective dates.
Tags: awareness and training, HIPAA, HITECH Act, Information Security, IT compliance, IT training, policies and procedures, privacy awareness, privacy training, risk management, security awareness, security training