Three new HIPAA/HITECH Act rules go into effect this month:
Two weeks from today, on Wednesday, February 17, 2010, Business Associates of Covered Entities must comply with the HIPAA Security Rule. For the first time Business Associates will be regulated by the federal government. Section 13401 of Subtitle D (Privacy) of the HITECH Act (42 USC 17931) states that “[t]he additional requirements of this title that related to security and that are made applicable with respect to Covered Entities shall also be applicable to such a Business Associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.” [Public Law 111-5, p.260] In addition, penalties that apply to Covered Entities also will apply to Business Associates for noncompliance with the provisions of the Security Rule.
The next day, Thursday, February 18, 2010, a new restriction on disclosure of protected health information goes into effect that impacts Covered Entity health care providers. According to Section 13405 of Subtitle D of the HITECH Act (42 USC 17935), a health care provider must honor a patient request to restrict disclosure of protected health information to a health plan for purposes other than carrying out treatment (namely, payment or health care operations) if the patient pays the health care provider out of pocket in full.
Finally, on Monday, February 22, 2010, enforcement of the Breach Notification Rule goes into effect for “failure to provide the required notifications for breaches” of unsecured protected health information discovered on or after the February 22 date. [74 Federal Register 42757, August 24, 2009]. The Breach Notification Rule applies to Covered Entities and Business Associates, provides obligations for each regarding compilation and reporting of information pertaining to a breach by either party, and requires “incorporation [of those obligations] into the Business Associate Agreement between the Business Associate and the Covered Entity.” [42 USC 17934]