The HIPAA Final Rule is Here!

In the medical transcription (MT) industry, the most anticipated proposed change was that related to subcontractors.  The newly expanded definition in the Final Rule for BAs also directly addressed subcontractors.  It states “A Business Associate also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.”  This change will greatly impact a large number of the MT workforce since there are many MT subcontractors (independent contractors) who work for MT services. Their new obligations as HIPAA BAs will be numerous and for a single practitioner these new obligations could be overwhelming. 

Here are some of those key HIPAA BA requirements that all subcontractors who handle PHI will now need to follow:

·       A written BA agreement.  This agreement would be between the subcontractor and the BA they perform services for, such as an MT service. Just as the MT service has been required since the implementation of HIPAA to have a written BAA with the Covered Entity (CE) they provide services for, now the subcontractor must also have a written BAA with the BA they provide services for. The BA must, of course, comply with all of the requirements outlined in the BAA.  HHS posted an updated sample of a BAA consistent with the Final Rule on their website at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html.

·       Comply with the HIPAA Security Rule.  This includes the administrative, physical and technical safeguards for PHI, as well as a designated HIPAA Security Officer.

·       Maintain written HIPAA policies and procedures.

·       HIPAA training and proof of it.

·       Make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of its use.

·       If a subcontractor uses the services of a subcontractor, and they handle PHI, subcontractor A will need to have a written BAA with subcontractor B.

·       Comply with all notification requirements related to the Data Breach Rule.

·       Comply with the contractual Privacy Rule requirements (e.g., termination, HIPAA training, etc.).

The scope of liability has also expanded for the BA to include the actions of their subcontractor BAs.  Penalties for willful neglect have increased to as high as $50,000 per violation with a maximum of $1.5 million in a calendar year.

BAs should immediately review their use of subcontractors/independent contractors, contact them regarding their new obligations as a HIPAA BA, and execute an updated BAA with each subcontractor.  Because of your expanded liability related to their actions under HIPAA, you may want to require them to provide you with a copy of their written P&Ps and proof of their HIPAA training for your records.  BAs will also need to review and update their own P&Ps related to the use of subcontractors/independent contractors to reflect these new changes.

You cannot fix this new challenge by ignoring it or deciding not to establish a BA agreement between the BA and their BA subcontractor.  The Final Rule clearly states that even if there is no written BAA, the subcontractor to the BA is subject to the same legal obligations as a BA regardless of whether they have or have not entered into a written BAA.

The effective date for the Final Rule is March 26, 2013, with the compliance (enforcement) date of September 23, 2013.  The only exception to this would be for business associate agreements (BAAs) which are currently in place, and that deadline is September 23, 2014.  When existing BAAs are renewed or revised before September 22, 2014, they must then confirm to the Final Rule.  New BAAs will be required to follow the Final Rule so that all BAAs by September 23, 2014, are in full compliance with the Final Rule.

For those who are BAs and you think that no one will notice if you skimp on your path to HIPAA compliance, the Office of Civil Rights (OCR) announced in late 2012 that the random HIPAA audits will continue in 2013 and will be expanded to include BAs.  There is no place to hide, if you handle PHI, you have major steps to follow to achieve and maintain HIPAA compliance as mandated in the Final Rule.

There is no time to wait, HIPAA compliance is not an option.