As a general rule of thumb for legal issues, being proactive tends to be much less expensive than being reactive. This general rule certainly applies to health care providers, their business associates and, now, business associate subcontractors with respect to changes required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The HIPAA Omnibus Final Rule (Final Rule), implementing provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act passed in 2009, became law last week on March 26, 2013. The Final Rule significantly modifies HIPPA requirements for compliance and security measures intended to protect health information (PHI), especially business associate agreements. Health care covered entities and their business associates and subcontractors have six months to become compliant with the rule, or face large fines (up to $1.5 million). The deadline for compliance is September 23, 2013, and the clock is ticking. Quickly.
According to the U.S. Department of Health & Human Services (HHS), the Final Rule is intended to bolster privacy and security protections for PHI under HIPAA by greatly enhancing the government’s ability to enforce the law. Health care provider audits are expected to dramatically increase in the coming months and years. Assuming that an audit will not happen is a mistake for any health care provider. Fines for HIPAA violations can be considerable, up to $1.5 million.
Under the Final Rule, parts of the HIPAA “Security Rule” (security requirements for electronic PHI) and “Privacy Rule” (security requirements for privacy of PHI) will now apply directly to business associates so that business associates will be potentially liable for civil and criminal penalties for any non-compliance with the HIPAA regulations, rather than just a breach of contract. Additionally, many subcontractors of business associates will now be covered. Liability for data breaches and other non-compliance can lie with the subcontractor, the business associate or the covered health care entity.
So, who is a “business associate”?
This is an important question because many changes under the Final Rule will profoundly impact not only covered entities and existing business associates, but other entities that now meet the definition of “business associate” and downstream business associate subcontractors whose services touch PHI. The Final Rule broadened the definition of “business associate” so that anyone who creates, receives, maintains, or transmits PHI might be deemed subject to HIPAA rules as a business associate. For example, the new definition includes companies or persons that “maintain” PHI, such as a data storage company or a company that provides data transmission services.
Legal counsel should be consulted to determine what business partners and vendors might be deemed “business associates” by HHS in the event of an audit. The reality is that many (probably most) business associates are currently not compliant with HIPAA and, if they consider the issue at all, may be in denial. HHS has decided it will deal with the issue more aggressively. Prudent health care providers must promptly inventory their business relationships to identify all business partners and vendors that meet the broadened definition of “business associate” under HIPAA rules and ascertain whether business associates are compliant with HIPAA’s risk assessment and other compliance protocol. This process should include evaluation of existing business associate agreements and, ultimately, health care providers should insist that every business associate demonstrate compliance.
Do your business associate agreements need to be updated?
Covered entities, business associates and subcontractors have until September 23, 2013 to execute business associate agreements compliant with the Final Rule. Under the Final Rule, business associate agreements must be updated to require that:
– the business associate comply with applicable requirements of the Security Rule.
– business associate ensure subcontractors that create, receive, maintain or transmit electronic PHI on behalf of the business associate agree to comply with the requirements of the Security Rule.
– the business associate ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such PHI.
– the business associate report breaches of unsecured PHI.
– the business associate carry out a covered health care entity’s obligation under the Privacy Rule (e.g., serving as the privacy official)
– the business associate comply with the requirements of the Privacy Rule that apply to the performance of such obligation.
It is estimated that up to 500,000 existing Business Associates will have to have new business associate agreements.
Continue reading ›
















The U.S. Department of Health and Human Services (HHS) published the HIPAA final omnibus rule (Final Rule) on January 25, 2013. The Final Rule deals with required changes for medical practices and other health care providers that HHS determined are necessary to secure protected health information (PHI). As a result of the Final Rule, many health care providers must update existing business associate agreements, revise existing notices of privacy practice, and require some business associates’ subcontractors to execute business associate agreements. For many medical practices and health care businesses, this process may be a tedious undertaking and, therefore, should begin promptly. The deadline for compliance is September 23, 2013.
Our health care system’s slow-but-sure conversion from paper to electronic health records (EHR) continues throughout the United States. The push toward EHR is strong, both as an inevitable industry trend toward efficiency and because of the mandate of federal law. EHR is obviously an integral part of health care reform changes. See January 31, 2013 post. Unintended adverse consequences of going paperless have appeared, however, including an apparent trend by doctors and other health care providers to haphazardly copy and paste identical notes from one patient visit to another.
A single unencrypted laptop computer containing electronic protected health information (ePHI) cost The Hospice of North Idaho (HONI) $50,000. HONI agreed to pay the U.S. Department of Health and Human Services (HHS) a $50,000 fine to settle potential breaches of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.
The Health Information Technology for Economic and Clinical Health (HITECH) Act requires the U.S. Department of Health and Human Resources (HHS) to conduct audits to ensure health care providers, health care industry organizations, and their business associates comply with HIPAA. The HHS Office for Civil Rights (OCR) audit program scrutinizes policies and procedures (or lack of same) of HIPAA-covered entities. Audit protocol looks at many elements (which may vary based on the type of covered entity audited) categorized as privacy requirements, security requirements, and breach notification requirements. The OCR makes available its audit protocol
On January 15, 2013, Dr. Joel I. Bertstein, a La Jolla, California oncologist, pled guilty to a charge that he introduced an unapproved drug into interstate commerce and administering it to patients. The drug is a cancer fighting drug known as “Mabthera.” Mabthera has not been approved by the U.S. Food and Drug Administration (FDA) for use in the United States and is intended for marketing in Turkey. Rituxa is the approved U.S. drug that contains the same active ingredient and is used to fight lymphomas and leukemias.


Federal law enforcement agents arrested one Chicago-area resident and six Detroit-area residents based on allegations of home health care fraud. In an 18-count indictment unsealed on January 17, 2013, the federal government contends that the seven parties effectuated a scheme to defraud Medicare based on claims for in-home health services at Royal Home Health Care Inc., Prestige Home Health Care Services Inc., Platinum Home Health Services Inc. and Empirical Home Health Care Services Inc. According to the indictment, Medicare was defrauded of over $22 million based on false claims for services since August 2008.