This year is flying by us. Before we know it, it’s going to be 2010 – and that means significant changes in privacy and security measures for service providers to the healthcare industry. One of the more important changes for the medical transcription industry is the Health Information Technology for Economic and Clinical Health (HITECH) Act, which becomes effective in February 2010. Just when you thought the government couldn’t make anything more convoluted and difficult than HIPAA – they came up with HITECH. Never underestimate the ability of bureaucracy to confuse the public!
In an effort to help doctors make sense of this mess, The AMA News collaterally helps out business associates, so it’s a good idea to follow along if you are interested in what the doctors are being told and how it applies to medical transcription services. Attorney Steven Harris, reporting in the AMA News, writes:
Those agreements you signed to comply with the Health Insurance Portability and Accountability Act probably need to be torn up, rewritten and re-signed.
One of the most significant changes that HITECH makes to HIPAA is that the relationship becomes bilateral. Under HIPAA, medical transcription service providers were not covered entities. Under HITECH, they are. Under HIPAA, the physician was responsible for monitoring business associates for breaches. Under HITECH, the business associate must also monitor the physician’s compliance.
In another article, Stimulus package alters HIPAA rules for business associates, Mr. Harris goes into some informative detail about what business associates are supposed to be protecting:
A business associate is someone who, on behalf of a covered entity, performs an activity involving the use of disclosure of individuals’ health care information.
…Under the stimulus bill, several HIPAA security provisions now apply to business associates in the same manner that those provisions apply to covered entities. That means business associates of covered entities will now have an affirmative duty to protect the confidentiality of electronic protected health information created, received, maintained or transmitted in performing services for or on behalf of covered entities.
Even if you are only providing services 1:1 to a physician, read the article by Mr. Harris and take steps to protect yourself. He suggests that a contract should outline what steps the physician will take if there is a suspected breach, so that both parties know what to expect and for reporting purposes.
At this point, other than to say it’s probably time to start looking at the contractual relationship you have with your clients, regardless of how little you think you are and/or whether or not you believe HITECH will impact you in any significant way. I’m not going to go into detail about what MTs may or may not be required to do as a result of this legislation; I will suggest that you follow Mr. Harris’ articles at the AMA News. They’re written for doctors, but MTs and MTSOs will be able to apply much of what he writes about.
We should be precise. A business associate is still just that – a BA, not a covered entity as stated above – within the formal meaning of that term. In fact, there are still a number of HIPAA requirements that apply to CE’s but not (directly) to BA’s.
For another thing, the BA Agreement is still the primary controlling document where the BA is concerned, and in one sense HITECH makes it even more so. Now, the BA is made legally liable for noncompliance with the terms of its agreements – which is something that some (many?) have not actually done heretofore. In the legislative history, there is reason to believe that it will be the failure to adhere to the BAA that will likely play a major determinant, other than criminal, malicious or pecuniary intent, in determining which of the various legal sanctions that HITECH provides will actually be imposed for BA violations.
The BAA will certainly be more demanding and detailed, particularly with respect to the Security Rule, but in the HITECH seminar that I attended just recently, both attorneys (from different firms) opined that many BAA’s are already crafted well enough that they will only need modifications of a few of their terms, not wholesale rewrites.
As for the BA needing to “monitor” the covered entity’s compliance as suggested above, I’m thoroughly puzzled. I can’t think what language in either HIPAA or HITECH would impose such an affirmative duty on the BA, nor what circumstance would make it necessary unless it might be something like defective deidentification of a research data set or some other kind of accidental impermissible disclosure perhaps? And, for such an affirmative duty to attach, I would think it would have to be a situation in which the BA is in the better position to recognize the CE’s breach? Any enlightenment appreciated – thanks.