HIPAA Blog Posts: HIPAA HITECH Act
Business Associates Liable for Breach of Their Business Associate Agreements, Effective February 17, 2010
Consequently, effective Feb. 18, 2010, the HITECH Act makes business associates both contractually liable to a covered entity for breach of the business associate agreement with the covered entity and civilly and criminally liable to the government for violations of those Security Rule requirements and the Privacy Rule's business associate agreement requirements.
OCR Issues Proposed Modifications to HIPAA Privacy and Security Rules
"Also the parties to a business associate agreement must include provisions in the agreement requiring the business associate to take reasonable steps to cure any material breach or violation of the business associate agreement between the business associate and a subcontractor, or terminate the contract."Ford & Harrison LLP Daniel Sulton
Of the 385 organizations hit with data breaches so far this year, 113 were in health care, according to the Identity Theft Resource Center's report for July 28. Just 39 breaches have been reported in banking and finance according to the ITRC. Experts cite a lack of compliance and improper data access by insiders as culprits.
"Three days ago, my credit card number was used fraudulently. Today I received a letter from Anthem telling me a breach had occured, leaking my social security number, name & credit card number."
HHS releases proposed HITECH rule
Foley & Lardner LLP
On July 14, 2010, the Office for Civil Rights of the Department of Health and Human Services (HHS) published a Notice of Proposed Rulemaking (Proposed Rule) that proposes significant changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Enforcement Rules.
"Vendors seeking to court healthcare clients will now need to pitch not only functionality but a compliance message as well." Report From the Trenches: Health IT Post-HITECH By Ed Moyle TechNewsWorld 07/20/10 5:00 AM PT
"The rule makes it much clearer that the covered entities' responsibilities must go far beyond just having a business associate agreement," Rebecca Herold stresses. Instead, hospitals, clinics and others must work closely with their business partners to make sure they're carefully following the HIPAA privacy and security rules, she adds.
"For those business associates that have not already adopted HIPAA-compliant privacy and security standards for PHI, the risk of criminal and/or civil monetary penalties may spur them to increase their efforts to comply with privacy and security standards." Page 164 NPRM
This NPRM from HHS contains serious warnings to business associates that they expect them to be HIPAA HITECH compliant with their business associate agreements now, and if not, they should get started immediately.