The American Recovery and Reinvestment Act (Recovery Act), signed into law on February 17, 2009, broadens the scope of the Health Insurance Portability and Accountability Act (HIPAA) to impact not only covered entities—including physicians, hospitals and health plans—but also those entities that support the healthcare industry as "business associates," which include third-party administrators, consultants, service providers and attorneys. Additionally, organizations that provide data transmissions of protected health information (PHI) to covered entities or business associates now will be required to enter into business associate agreements with covered entities.
The Recovery Act extends specific HIPAA regulatory requirements to business associates. Beginning February 17, 2010, the administrative, physical and technical safeguard requirements of the security regulations, as well as the polices, procedures and documentation requirements will apply to business associates. Traditionally, business associates were required by contract to use certain precautions regarding the use and disclosure of PHI, and if a business associate unlawfully disclosed PHI, it only faced a breach of contract claim by the covered entity. Under the Recovery Act, business associates now face civil and criminal fines and penalties for HIPAA violations.
The U.S. Department of Health and Human Services (HHS) is now required to conduct periodic audits to make sure covered entities and business associates are complying with the new privacy and security requirements. Additionally, generally effective immediately, state attorneys general have been granted expanded authority to enforce violations of HIPAA on behalf of the citizens of their respective states. In light of the HIPAA changes contained in the Recovery Act and the impending regulations, covered entities and business associates should prepare to reevaluate current HIPAA policies, assess levels of access to PHI and prepare to incorporate the required changes into business associate agreements.