Hipaa One Year Later: Is Your Law Firm Complying?, 14 NHBJ, 2014 Spring-Summer, Pg. 6
Author | Charla Bizios Stevens and Hannah E. Zaitlin. |
\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0Spring/Summer, 2014
\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0
\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0Since it was enacted in 1996, discussion and confusion concerning the Health Insurance Portability and Accountability Act ("HIPAA")
\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0Since nearly a year has passed since the compliance date for most provisions of the Final Rule
\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0To fully appreciate how or if the Final Rule applies to you or your law firm (or, for that matter, your clients), a general understanding of HIPAA and its regulatory regime is in order. As noted above, the regulatory regime arises from the AS provisions which required HHS to establish national standards for electronic healthcare transactions; national identifiers for providers, health insurance plans, and employers; national standards to protect the privacy and security of personal health information; and civil money penalties for violations of the AS.
\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0The AS provisions and the HIPAA Rules apply to three types of entities which are known as "covered entities:" healthcare providers who conduct covered transactions electronically, health plans, and health care clearinghouses.
\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0Covered transactions include those in which so-called protected health information ("PHI") is transmitted to carry out financial or administrative activities related to healthcare (e.g., billing, confirmation of coverage).
\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0The overarching objective of the AS provisions and the HIPAA Rules is to require covered entities (which could be an individual or a business entity) to protect the privacy and security of PHI and provide individuals with certain rights with respect to their health information. The Final Rule sought to strengthen these protections and rights by, in pertinent part, significantly expanding the accountability and obligations of certain entities that do business with covered entities - so-called "business associates" and their subcontractors.
\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0Specifically, the HITECH Act and the Final Rule require business associates to comply with the Security Rule. The Final Rule broadened the definition of a "business associate" and implemented Section 13404 of HITECH which makes certain requirements of the Privacy Rule applicable to business associates and creates direct liability for noncompliance by business associates with regard to those requirements.
\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0The Final Rule also requires updated provisions in BAAs and now requires business associates to have BAAs with its subcontractors. BAAs must provide that the business associate (or subcontractor, as applicable): (1) shall abide by the Security Rule concerning ePHI and applicable provisions of the Privacy Rule; (2) shall report breaches of unsecured PHI to the covered entity (or business associate, as applicable) as required by the Privacy Rule and Breach Notification Rule, (3) certify that, if used, a subcontractor will agree to the same requirements that apply to the business associate regarding the handling of protected health information; (4) will terminate a business associate contract...
To continue reading
Request your trial