Today, Wednesday, February 17, 2010, Business Associates of Covered Entities must be able to demonstrate that they are in compliance with administrative, physical, and technical safeguards of the HIPAA Security Rule, as required by the HITECH Act, enacted one year ago today as part of the American Recovery and Reinvestment Act of 2009. In addition, Business Associate Agreements must be rewritten or amended to specifically require a Business Associate’s compliance with the Security Rule as part of its “satisfactory assurances.” Financial penalties for noncompliance discovered during a compliance audit or complaint investigation could be severe, especially for willful neglect.
Here are the appropriate authorities:
Section 13401 of Part 1 (Improved Privacy Provisions and Security Provisions) of Subtitle D (Privacy) of the HITECH Act (pp. 260): Application of Security Provisions and Penalties to Business Associates of Covered Entities
(a) Application of Security Provisions. Sections 164.308 [Administrative Safeguards], 164.310 [Physical Safeguards], 164.312 [Technical Safeguards], and 164.316 [Policies and Procedures and Documentation Requirements] of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. The additional requirements of this title that related to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity. [42 USC 17931]
(b) Application of Civil and Criminal Penalties. In the case of a business associate that violates any security provision specified in subsection (a), sections 1176 and 1177 of the Social Security Act (42 U.S.C. 1320d-5, 1320d-6) shall apply to the business associate with respect to such violation in the same manner such sections apply to a covered entity that violates such security provisions. [42 USC 17931]
NOTE: Effective the day after of enactment of the HITECH Act (February 18, 2009), financial penalties were substantially increased for noncompliance with HIPAA standards, which cover policies, procedures, actions, assessments, and documentation requirements discovered during a compliance audit or complaint investigation.
Section 13423 of Part 2 (Relationship to Other Laws; Regulatory References; Effective Date; Reports) of Subtitle D (Privacy) of the HITECH Act (pp. 276): Effective Date
Except as otherwise specifically provided, the provisions of part 1 shall take effect on the date that is 12 months after the date of the enactment of this title. [42 USC 17953]
Today marks the beginning of direct federal regulation of business associates’ compliance with the HIPAA Security Rule. [02/17/10]