The HITECH Act's wide-ranging changes to HIPAA are effective in less than sixty days. Entities that routinely handle patient information – healthcare providers, health plans, and the vendors and contractors that service the healthcare industry – are subject to the enhanced HIPAA regulations and penalties beginning September 23, 2013. The following eight specific action items will help Covered Entities, Business Associates, and Business Associate "Subcontractors" prepare for the HIPAA - HITECH final countdown.
- Implement Security Rule Requirements. Business Associates are now directly subject to the HIPAA Security Rule. As a result, Business Associates must take specific actions to meet Security Rule obligations, including a risk assessment to identify risks/vulnerabilities and adoption of appropriate policies and procedures.
- Update Privacy Policies. The HITECH regulations add new restrictions on the use of patient information and expand patient rights to access that information, among other changes. Covered Entities and Business Associates must revise policies, procedures, and internal guidelines to address these changes to the HIPAA Privacy Rule.
- Identify Business Associates. The Final Rule expands and clarifies the definition of "Business Associate," which encompasses the growing universe of vendors and contractors that service the healthcare industry and require access to patient information. Covered Entities must evaluate whether they do business with Business Associates, and if so, execute the required Business Associate Agreements.
- Identify Business Associate "Subcontractors". Subcontractors that create, receive, maintain, or transmit protected health information on behalf of a business associate are now themselves "business associates" - even if the subcontractor does not have a direct relationship with the Covered Entity. Entities that perform any function involving patient information must evaluate whether they are such "business associates" - and if so, meet HIPAA's requirements.
- Update Business Associate Agreements. The HITECH regulations require specific changes to Business Associate Agreements. In certain circumstances, these changes can be implemented after September 23, 2013; however, parties must comply with the new HITECH provisions regardless of whether the Business Associate Agreement has been updated. To avoid inconsistency between the new HITECH requirements and a Business Associate Agreement's existing provisions, parties should consider revising their Business Associate Agreements at the earliest opportunity.
- Update Breach Notification Polices & Procedures. The HITECH Rule significantly alters the HIPAA Breach Notification requirements. Accordingly, Covered Entities and Business Associates should to update Breach Notification Policies and Procedures to address the new breach standards.
- Train Workforce on New Policies. Covered Entities and Business Associates must implement the new changes to their HIPAA Policies and Procedures. A key aspect of implementation is workforce training (employees, volunteers, and others who work under the direct control of the Covered Entity or Business Associate) on the requirements of the updated Policies and Procedures.
- Establish Vendor Management Program. The actions of a Business Associate can result in significant financial, operational, and reputational harm for a Covered Entity – from breaches to HIPAA investigations. Accordingly, Covered Entities should carefully consider vendor management when contracting with Business Associates. The same concept applies with regard to a Business Associate's approach to Business Associate Subcontractors. Components of a successful vendor management program include close coordination between representatives from legal, risk management, privacy and information security, as organizations must analyze and understand the flow of, and access to, data. As part of the adoption of a vendor management program, organizations should consider adopting a governance model that addresses the release/access to data; appropriate due diligence measures; appropriate internal standards, and enforcement mechanisms and communication plans. Insistence on adherence to these policies and standards along with a robust program of review and oversight should be clearly communicated from the top down.
A copy of the HIPAA-HITECH Final Rule, as well as prior Nelson Mullins summaries of the new HIPAA requirements, is available here (link to http://www.nelsonmullins.com/pages/hipaa-webinar/384).