The American Recovery and Reinvestment Act of 2009 was signed into law by President Obama on February 17th, 2009. Title XIII of this act is the “Health Information Technology for Economic and Clinical Health Act” or HITECH. HITECH contains, among other things, new laws impacting HIPAA Business Associates. Business Associates are entities which perform services for HIPAA covered entities involving the use or disclosure of Protected Health Information.
Before these changes, the obligations/liabilities of a Business Associate were basically limited to those spelled out in the Business Associate Contract (aka Business Associate Agreement), an agreement HIPAA required covered entities to enter into with Business Associates. With HITECH, Business Associates are now subject to significant additional requirements and penalties. These new requirements and penalties apply as a matter of law and take effect whether or not the agreement language in the Business Associate Contract mentions them. Notably, these requirements apply to both new and existing Business Associates.
Some of the HITECH changes impacting Business Associates
Business Associates are required to implement significant portions of HIPAA Security (45 CFR, Part C) in the same manner as formerly required only for covered entities.
Business Associates are required to implement portions of HIPAA Privacy (45 CFR, Part E) in the same manner as formerly required only for covered entities.
A Business Associate must notify the Covered Entity of a data breach involving protected health information, and the Covered Entity must notify HHS. Notification must also be made in prominent media outlets in the event the breach involves the data of 500 or more people. HHS will also maintain a WEB site of all reported breaches (500 or more people) for public review.
A Business Associate who violates any of the newly required HIPAA provisions will be subject to the same Civil and Criminal Penalties that formerly only applied to covered entities. These penalties can apply to individuals within a Business Associate responsible for the violation. In general penalties are $100 per violation, capped at $25,000/year for violations of a specific requirement. However there is also a new tiered penalty structure that has been introduced which tops out at $50,000 per each violation, capped at $1.5M/yr. for violations of a specific requirement when the violation is due to willful neglect.
HHS is required to investigate complaints from individuals about violations if a preliminary investigation of the facts of the complaint indicate such a possible violation due to willful neglect.
HHS is required to conduct periodic audits of Covered Entities and Business Associates for compliance with HIPAA Security Standards for the Protection of Electronic Protected Health Information and Privacy Of Individually Identifiable Health Information requirements.
State Attorneys General are now empowered to enforce these provisions and assess the prescribed penalties when violations are found.
This material is designed for internal University at Buffalo use only and is
copyrighted. Information and documents available on this site may be
freely copied and used with appropriate attribution to the University at
Buffalo. None of the information on these pages should be construed as
legal advice or expert opinion with respect to how any particular function or
entity engages in work to come into compliance with HIPAA.