There are important changes on the horizon regarding HIPAA regulations. The $787 billion American Recovery & Reinvestment Act of 2009, or stimulus package, recently signed by President Obama incorporates significant changes to Healthcare IT – including HIPAA Privacy & Security regulations.

There are several new provisions in the Act that will affect you:

• Enforcement Escalation – Audits will be dramatically increased. The State Attorney Generals will be prosecuting criminal violations and assessing fines in a more aggressive manner.
  
  
• Accountability – The new provisions make Covered Entities fully responsible for Business Associates. And, Business Associates are now expected to report Covered Entities if they see violations.
  
  
• Increased Liability – Individuals will be held accountable in addition to organizations.
  
  
• New Disclosure Rules – If a breach occurs, you will be required to alert those impacted, alert authorities, post announcements in newspapers and report all breaches annually to the Department of Health & Human Services (DHHS).
  

The new HIPAA regulations in this stimulus package will start becoming effective in the next few months. Before then, you should assess your current HIPAA policies, procedures and re-train your staff.

Keeping your staff aware of their responsibilities is the cheapest insurance you have to protect yourself and your practice. 

For more information on how the stimulus package’s new HIPAA regulations affect your organization, download our free white paper, subscribe to our quarterly HIPAA Flash newsletter, or learn about our extensive training solutions.

		Download a free white paper on the impact of this Act on HIPAA Privacy & Security regulations.
		Subscribe to our free, quarterly HIPAA Flash newsletter delivered via email.
		Learn about our HIPAA online education.

Here are the next steps Covered Entities (CE) need to take in order to become and stay compliant with the stimulus package’s new HIPAA provisions:

• Take inventory and review all provisions of the BA agreements it has entered into with BAs, and consider whether the BA agreements need to be amended.
• A CE should determine whether there is any basis contained in the BA agreement for determining that all of the additional security and privacy requirements are “incorporated” into the BA agreement, without the agreement having to be amended.  
• If BA agreements need to be amended, these amendments must be made by February 17, 2010.
• Review all HIPAA policies and procedures and revise those procedures where necessary to incorporate any new obligations imposed by the Act.
• Modify training programs to include the changes made by the Act.
• Determine whether it contracts with organizations that:
• (i) Provide data transmission of protected health information (“PHI”).
• (ii) Require access on a routine basis to such PHI (e.g., Health Information Exchange Organizations, Regional Health Information Organizations, E-prescribing Gateways, or vendors that contract with a CE to allow that CE to offer a PHR to patients as part of its EHR). If it does, then the CE will need to enter into a BA agreement with any such organization.

Here are the next steps Business Associates (BA) need to take in order to become and stay compliant with the stimulus package’s new HIPAA provisions:

• Take inventory and review all provisions of the BA agreements it has entered with CEs, and consider whether the BA agreements need to be amended. BAs should review the BA agreements to:
• Determine whether there is any basis contained in the BA agreement for determining that all of the additional security and privacy requirements are “incorporated” into the BA agreement, without the agreement having to be amended. If BA agreements need to be amended, these amendments must be made by February 17, 2010.
• Determine their obligations under the privacy provisions of the BA agreements.  Note that the Act requires BAs to abide by the privacy provisions of the BA agreements and subject BAs to penalties if they do not. Some of the BA agreements may contain provisions greater than those required by the HIPAA Privacy and Security Provisions. If they do, a BA could be held subject to the penalties under HIPAA for a violation of the provisions. If such provisions are contained in the BA agreements, BAs may want to approach the CE and request that these provisions be removed.
• Make sure that your organization meets the greater administrative, technical and physical safeguard requirements imposed on BAs by the Act.

Discover our economical, comprehensive suite of training products and HIPAA consulting services. Simply call (866) 447-2211 or send an email to info@hipaarx.net