HIPAA HITECH Rules De Facto Standard?

Posted January 12, 2012 03:12 PM by Jack Anderson CEO Compliance Helper    
1 comments

 Kirk Nahra ia a respected healthcare attorney with Wiley Rein, LLP.  While this article is broad in it's scope he focuses in on healthcare and the widespread ramification of HIPAA HITECH if implemented as proposed in the NPRM.  In a sense any company touching on healthcare must be HIPAA HITECH compliant and since healthcare is a third of the US economy that is a large net.

"What's Happening with Health Care, and Why Does It Affect Everyone?

While most of these top developments affect the full range of corporate America, our next issue to watch is focused on the health care industry. The Health Insurance Portability and Accountability Act (HIPAA) privacy and security structure has created the most detailed and complex set of privacy and security requirements at the federal level, since the privacy rule first required compliance in 2003. Now, following passage of the Health Information Technology for Economic and Clinical Health (HITECH) law in 2009, we (finally) will see in 2012 the issuance of final HITECH regulations that will kick off the full Version 2.0 of the HIPAA era.

But this development is critical because HIPAA/HITECH no longer is limited in any meaningful way to the health care industry. Instead, two key developments-one not yet set in stone-demonstrate that these changes will affect an enormous range of companies across the country, many of which have no obvious tie to the health care industry. First, one of the key changes from the HITECH law concerns the applicability of the privacy and security rules to "business associates," which are service providers to the health care industry. These entities have had contractual obligations for many years, but the new law requires that these business associates face legal obligations directly under the rules as well. So, through this step (which is being implemented in rules that are not yet final), the scope of HIPAA now will extend to any company that provides services to health care companies that involve any health care information (as well as creating complex negotiations and various other debates about whether health care information really is involved in providing the service).

The second step expands this circle even more. In the proposed regulations applying this statutory language, the Department of Health and Human Services (HHS) proposed to expand coverage not only to the companies that contract directly with the health care companies (which clearly are encompassed by the statutory changes and would know that they are contracting with health care companies) but also to any downstream vendor that contracts with those service providers, and on down the chain, indefinitely. This creates a potentially never-ending chain of contractual entanglements that impose legal obligations -- even in situations where the downstream vendors may not have any idea they are involved in information from a health care company. This requirement would apply not only to specific "subcontractors" that perform a part of the work assigned to the business associate but also to a wide range of general service providers to the business associate (e.g., accounting firms, law firms, consultants, auditors) that perform work generally for the business associate that is not necessarily tied to any particular client or project. And, because the primary legal obligation imposed by these new provisions is to follow the full scope of the detailed and complicated HIPAA Security Rule, companies will be faced with a choice even before they receive any health care information about whether to take on the task of revamping overall security programs. So, we'll be watching closely how these final rules play out, and also how far down the corporate chain these rules apply. It is quite likely that the HIPAA rules will become almost a de facto national security standard, if the reach of these rules applies to anyone in the contracting chain."