February 17, 2010, Deadline for Implementing HIPAA Privacy Rule Amendments and HIPAA Business Associate Compliance

Hinshaw Health Law Alert

Numerous amendments to the HIPAA Privacy and Security Rules contained within the recently passed Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) add new requirements and new restrictions for HIPAA Covered Entities and their Business Associates. Health care organizations that fail to comply with the HIPAA requirements may be subject to civil monetary penalties up to $1.5 million annually, and criminal penalties for individuals or employees of Covered Entities or Business Associates who violate the HIPAA rules.

HIPAA Covered Entities

On or before February 17, 2010, all HIPAA Covered Entities should revise their Business Associate Agreements to:

• Require Business Associates to comply directly with Security Rule provisions directing implementation of administrative, physical and technical safeguards for electronic protected health information (“e-PHI”); and development and enforcement of related policies, procedures and documentation standards, including designation of a security official.
• Impose on Business Associates an obligation to directly comply with HIPAA’s Business Associate safeguards, including limiting use and disclosure of PHI as specified in the agreement or as required by law; facilitating access, amendment and accounting of disclosures; opening books and records to HHS; and returning or destroying PHI, if feasible, upon contract termination.
• Deem a Business Associate to violate HIPAA if the Business Associate knows of a “pattern of activity or practice” by a covered entity that breaches their Business Associate agreement, but fails to cure the breach, terminate the Business Associate Agreement, or report the non-compliance to HHS.

On or before February 17, 2010, all HIPAA Covered Entities should revise their Notice of Privacy Practices and the following HIPAA Privacy policies and procedures to incorporate changes required by the HITECH Act:

• Notify Business Associates regarding new requirements 
• Establish procedures for electronically providing copies of Electronic Health Records;
• Revise policy on when authorization is needed for disclosure related to Marketing;
• Revise procedures for opting out for Fundraising;
• Revise policy on the Minimum Necessary Rule and Limited Data Sets;
• Revise policy on Accounting for Disclosures;
• Establish procedures for dealing with a patient’s request to limit information to his or her health plan;
• Establish procedures for the prohibition on the sale of Electronic Health Records or PHI; and
• Educate and train employees and staff on the new HIPAA policies and procedures

Business Associates

On February 17, 2010, Business Associates who have access to protected health information in the course of the services they provide to entities covered directly by HIPAA will, for the first time, be directly subject to many of the requirements of HIPAA.  HIPAA Business Associates will be subject to most of the HIPAA Privacy and Security Rule requirements, including direct regulation by the Office for Civil Rights and enhanced penalties for HIPAA violations. Among other things, by February 17, 2010, HIPAA Business Associates should:

• Adopt and implement reasonable and appropriate HIPAA Security written policies and procedures (,including adoption and implementation of administrative, physical and technical safeguards);
• Adopt and implement policies and procedures for complying with the Business Associate provisions of the HIPAA Privacy rule;
• Adopt a HIPAA Security Officer and implement a HIPAA compliance review/risk assessment;
• Develop and implement a complaint system
• Develop a sanctions policy; 
• Develop a system for identifying breaches and notifying covered entities following discovery of a breach of unsecured PHI;
• Mitigate any harms from the inappropriate use or disclosure of PHI; and
• Educate and train employees and staff on the new HIPAA policies and procedures.

For additional information, please contact Michael A. Dowell or your regular Hinshaw attorney before the February 17, 2010, deadline

This alert has been prepared by Hinshaw & Culbertson LLP to provide information on recent legal developments of interest to our readers. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship.