For businesses working alongside healthcare providers, payers and clearinghouses, this September may be a stressful month preparations for the next deadline under the 2013 Omnibus Privacy Rule. As of September 23, 2013, these healthcare providers, payers, and clearing houses (“Covered Entities”) and their associated service providers (“Business Associates”) must be in compliance with a variety of new requirements since HIPAA was amended as part of the American Recovery and Reinvestment Act (“ARRA”) signed into law by President Obama on February 17, 2009. It would be a questionable use of blog space to write out all the things that might need to happen for any Business Associate between now and the deadline. However, here are some things for businesses in the healthcare space to consider:
1. Are you even a Business Associate? I know. Such a simple question, but worth asking before you go through the myriad of things to comply with HIPAA and any Business Associate Agreements you may be requested to execute. To be sure, the new law expanded and clarified the definition of a Business Associate, but it never hurts to doublecheck and make sure you are a Business Associate before you dive into HIPAA compliance measures. Just because you do business with a Covered Entity does not necessarily make you a Business Associate for HIPAA purposes. The next step is to follow the information.
2. PHI or not PHI? Beyond the definitions of parties to a transaction, a simple question is whether your business gets and uses Protected Health Information, or “PHI.” This is the central question for pulling the trigger on whether HIPAA applies or not. If your business is not collecting, using, storing, or transferring PHI that was given it by a Covered Entity, HIPAA may very well not apply. PHI is defined here. Take a moment and ask: Do we even get this information?
3. HIPAAAAH No! We are a Business Associate! If you are indeed a Business Associate, then you do need to get your HIPAA hut in order. Take a breath. It does not have to be a painful and expensive process. Every situation is different, to be sure, but here are the basics to get you thinking of how to move forward (and quickly):
a. Business Associate Agreements. If you have not already, you will need to execute these agreements with any Covered Entity that is providing you PHI in the course of providing your goods or services. Again, the easy part here is that most often such an agreement is coming from the Covered Entity, as they have to comply with HIPAA too. In these cases, all you have to do is review and determine whether you can comply and negotiate accordingly.
b. Privacy Rule and Security Rule. With the new law going into effect, some of the Privacy and Security Rule requirements that were originally limited to Covered Entities now apply to Business Associates. The good thing about HIPAA is that the law recognizes not all business are alike, nor are the risks to PHI the same in every business transaction. Thus, the Security Rule’s implementation specifications (“Required” and “Addressable”) that Covered Entities and Business Associates must meet are directly related to the risks associated with their particular business. This is not a one‑size‑fits‑all proposition. Small businesses and large corporations, alike, have to comply with HIPAA while each having vastly different resources.
c. Policies, Procedures, and your own Business Associate Agreements. This being said, your business will have to comply. Therefore, in line with your business operations and related risks, you need to draft appropriate policies and procedures to ensure your company’s proper collection and use of PHI, as well as implement reasonable administrative, technical and physical safeguards. Furthermore, if your company shares PHI with other companies (i.e., subcontractors or vendors), you also have to execute Business Associate Agreements with them to ensure this sharing of information does nothing to undermine your obligations to the Covered Entity.
In closing, I am not suggesting HIPAA compliance is a piece of cake and can be knocked out in an afternoon, especially for a Business Associate for whom information is not necessarily the core of their product or service offering. Compliance planning can be very complex and the risks of non-compliance are indeed steeper with new enforcement provisions and liabilities in place. It is always wise to seek legal counsel on the obligations that might face your business. What I am saying is that planning and implementing the necessary requirements need not be void of common sense and a reasonable, risk-based approach. As with any decision in the modern marketplace, a Business Associate needs to take in the information, assess its goals and obligations, and then execute a plan to satisfy them.