For HIPAA Business Associates, the Stimulus Is a Game-Changer | [node:field-byline] | Healthcare Blogs Skip to content Skip to navigation

For HIPAA Business Associates, the Stimulus Is a Game-Changer

February 14, 2009
by Reece Hirsch
| Reprints

On Tuesday, when President Obama signs into law The American Recovery and Reinvestment Act of 2009, better known as the federal economic stimulus package, the world is going to change for a wide range of healthcare technology companies. For the many healthcare companies that are "business associates" of HIPAA covered entities, their legal obligations, and potential liabilities, will dramatically expand.

The Stimulus will include a provision requiring all business associates to comply with the HIPAA security regulations in the same manner that covered entities comply. That means that business associates must perform security risk assessments and adopt written policies and procedures that address the HIPAA Security Rule's administrative, physical and technical safeguards standards. Simply signing a business associate agreement that states that you will "reasonably and appropriately protect" protected health information will no longer be sufficient.

In addition, HIPAA's civil and criminal penalties will now apply to business associates in the same way that they apply to covered entities. These new provisions will become effective one year after the effective date of the Stimulus legislation.

There are many more significant changes to HIPAA included in the Stimulus, but I'll save that for future postings ....



Reece -

Your term, "Game Changer" is a good term for the Stimulus Bill changes to HIPAA, since healthcare organizations will soon learn that risk management will become a vital part of managing the business associate (BA). In the past covered entities (CE's) have often argued that:

1. CE's or BA's cannot be sued for a HIPAA violation
2. Civil liability was not an issue
3. Enforcement was non-existent and auditing of the BA was not required by HIPAA

However, the "Game Changer" will become, CE's and BA's realizing they can be sued for a HIPAA violation and face civil litigation. Moreover, with increased enforcement, CE's "reasonable diligence" of a BA will be closely scrutinized and auditing of the BA in some form will become standard operating procedure.

Grant Peterson, J.D.

Anthony: I have two responses to that sort of comment

First, the HITECH Act includes several measures intended to kick-start HIPAA enforcement and give it more teeth, including: (i) increasing civil penalties for HIPAA violations (ii) requiring the Secretary of HHS to impose civil penalties for violations of the Privacy Rule involving willful neglect, and (iii) authorizing state Attorneys General to file suits on behalf of individuals affected by HIPAA violations.

Second, for health care technology companies that are business associates, their covered entity customers are going to start asking what they have done to satisfy these new legal requirements. Companies that want to maintain the confidence of their customers will be able to demonstrate that they have implemented required policies and procedures and taken other necessary actions. Reece

Reece: What would you say to people that respond, "HIPAA doesn't have teeth, so we're not going out of way to do more than lip service to the new requirements."