President Obama signed into law the American Recovery and Reinvestment Act of 2009 (ARRA) on Tuesday, February 17, 2009. The Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of ARRA in Title XIII include important changes in Privacy (Subtitle D). Our focus in this posting is the change related to business associates under HIPAA Administrative Simplification that is specified in Section 13401: Application of Security Provisions and Penalties to Business Associates of Covered Entities. In this section, administrative, physical, and technical safeguards, and policy, procedure, and documentation requirements of the HIPAA Administrative Simplification Security Rule “shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.” The additional requirements include civil and criminal penalties, notification provisions for a breach, and application of “guidance on the most effective and appropriate technical safeguards” as determined by the Secretary of Health and Human Services (HHS), amongst other requirements. These changes become effective one year after enactment of ARRA on February 17, 2010.
Application of the Security Rule to business associates of covered entities is a significant change. Previously, if there were a breach involving a business associate of which the covered entity were aware, then the covered entity could just terminate the contract if the breach was not remedied. Responsibility and liability rested with the covered entity. With the change in the HITECH privacy provisions of ARRA, the business associate now has responsibility and liability directly for a breach. A breach requires notification, which is triggered when there is an incident of “unsecured protected health information.” The Secretary of HHS is required to issues guidance on what constitutes “unsecured protected health information” within 6o days of February 17, 2009. In the absence of such guidance in the time specified, then a default definition pertaining to a failure of encryption as endorsed by the National Institute of Standards and Technology (NIST) of such information obtains. The notification provision requires both covered entities and business associates to notify affected parties directly and individually in a timely manner, and to use appropriate public media for cases involving over 500 individuals. This is a specification that was not defined under HIPAA Administrative Simplification. Increased penalties for a breach by a covered entity are immediately effective and will be outlined in a subsequent posting.
Covered entities should notify their business associates of the security rule, notification, and enforcement penalty changes in ARRA, and begin working on a plan to revise their business associate contracts to reflect the changes. HIPAA.com has started a series that will review over the coming weeks each of the administrative, physical, and technical standards and implementation specifications of the Security Rule. Earlier this week, we discussed the risk analysis as part of the security management process, and complete discussion of that security standard with three additional implementation specifications of that standard.