As appeared in the American Health Lawyers Association's Healthcare Liability & Litigation Health Briefs, on 9/9/09.
The HITECH Act, a portion of the American Recovery and Reinvestment Act of 2009 (ARRA), substantially broadens the government's enforcement power and increases penalties for privacy and security breaches under HIPAA. Covered entities can be hit with substantial liabilities for the actions or inactions of their business associates, such as vendors of electronic health records, transcription providers, or billing agents. Careful attention to management of business associate relationships can significantly shield against such liabilities.
Among other changes, the HITECH Act will require covered entities to notify affected individuals when there is a breach of unsecured protected health information (PHI). The breach reporting obligation will also require covered entities to provide notice of the breach to the U.S. Department of Health and Human Services Secretary (HHS Secretary), and in some instances, the media. Additional state-law reporting requirements may apply. Where a covered entity's business associate becomes aware of a breach, it is only required to notify the covered entity, identifying each individual whose unsecured PHI was accessed, acquired, or disclosed. Therefore, while neither current HIPAA law nor the HITECH Act expressly requires that business associate agreements contain indemnification provisions, many covered entities (healthcare providers, health plans, and clearinghouses) are being advised to include airtight indemnification provisions in their business associate agreements, such that the business associate will indemnify the covered entity for its substantial costs in complying with breach notification requirements where the business associate causes the breach.
As another risk-management approach, covered entities would be well advised to conduct thorough due diligence to determine whether their business associates have implemented adequate privacy and security measures, including following the recently issued HHS guidance on technologies and methodologies to render PHI unusable, unreadable, or indecipherable to unauthorized individuals. Where such approved technologies and methodologies have been adopted by the business associate, PHI will not be considered unsecured and no breach will be found; therefore, the HITECH Act's burdensome notification requirements will not apply.
If the cost of due diligence on business associates makes such measures infeasible, business associate agreements should include language committing the business associate to compliance with its new obligations mandated by the Security Rule. Consider inserting contract clauses such as the following:
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was adopted as part of the American Recovery and Reinvestment Act of 2009. The HITECH Act and its implementing regulations impose new requirements on Business Associates with respect to privacy, security, and breach notification. These provisions of the HITECH Act and the regulations applicable to Business Associates are collectively referred to as the "HITECH BA Provisions." The HITECH BA Provisions shall apply commencing on February 17, 2010, or such other date as may be specified in the applicable regulations, whichever is later (Applicable Effective Date).
Business Associate hereby acknowledges and agrees that to the extent it is functioning as a Business Associate of Covered Entity, Business Associate will comply with the HITECH BA Provisions and with the obligations of a Business Associate as proscribed by HIPAA and the HITECH Act commencing on the Applicable Effective Date of each such provision. Business Associate and the Covered Entity further agree that the provisions of HIPAA and the HITECH Act that apply to business associates and that are required to be incorporated by reference in a business associate agreement are incorporated into this Agreement between Business Associate and Covered Entity as if set forth in this Agreement in their entirety and are effective as of the Applicable Effective Date.