The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/7599
www.iltanet.org 10 Peer to Peer BEST PRACTICES T he Health Insurance Portability and Accountability Act (HIPAA) is a federal law that establishes privacy and security rules protecting medical records (known as "Protected Health Information" or "PHI" in HIPAA). HIPAA applies to "covered entities," which are healthcare providers, health plans, and healthcare clearinghouses. HIPAA permits covered entities to disclose PHI to organizations working for them, such as law firms or accounting firms, which are defined as "Business Associates" under HIPAA. Covered entities are required to enter into contractual arrangements with Business Associates (known as "Business Associate Agreements") to obtain promises to maintain the confidentiality of the PHI received. THe eFFeCT OF THe HI-TeCH ACT However, the landscape is changing for Business Associates. The HI-TECH Act, enacted as part of the American Reinvestment and Recovery Act of 2009, makes fundamental changes affecting HIPAA Business Associates. First, the HI-TECH Act makes certain HIPAA rules directly applicable to Business Associates. As of February 17, 2010, Business Associates are directly subject to the following HIPAA security rules: (1) the administrative safeguards contained in 45 C.F.R. 164.308, (2) the physical safeguards contained in 45 C.F.R. 164.310, (3) the technical safeguards contained in 45 C.F.R. 164.312, and (4) the policies, procedures and documentation requirements contained in 45 C.F.R. 164.316. These security rules regulate how electronic PHI must be handled and maintained. For example, 45 C.F.R. 164.308(a)(1)(ii) requires an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic PHI held by the Business Associates; 45 C.F.R. 164.310(c) requires implementation of physical safeguards for all workstations that access electronic PHI to restrict access to authorized users; and 45 C.F.R. 164.312(b) requires implementation of hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI. These are merely some examples — the applicable regulations contain many more requirements. Additionally, Business Associates are subject to the new HIPAA rule requiring notice to be given when there is a breach of unsecured PHI. Clearly, these rules will impose vast and substantial burdens on Business Associates. PenALTIeS FOR BUSIneSS ASSOCIATeS Second, the HI-TECH Act makes Business Associates directly subject to HIPAA penalties. Previously, if a Business Associate failed to maintain the confidentiality of PHI, the result would be a possible breach of contract and potential HIPAA Rules for Law Firms Violation category – As provided in 42 USC 1320d-5(a)(1) Penalty range for each violation Maximum penalty for all such violations of an identical provision in a calendar year (A) Did Not Know $100-$50,000 $1,500,000 (B) Reasonable Cause $1,000-$50,000 $1,500,000 (C)(i) Willful Neglect — Corrected $10,000-$50,000 $1,500,000 (C)(ii) Willful Neglect — Not Corrected $50,000 $1,500,000 the new penalty structure, applicable to Business associates as well as covered entities, is as follows: