Health Information Compliance Alert

Compliance:

Be Prepared -- Stimulus Plan Strengthens HIPAA Rules

Many HIPAA regulations are now applicable to your business associates.

If you've been lax on overseeing your HIPAA compliance,now is the time to shore up those processes.

The stimulus bill, known as the "American Recovery and Reinvestment Act of 2009" (ARRA), strengthens the HIPAA requirements that health care providers face,increases penalties for privacy breaches, and creates restrictions on how you can share protected health information.

Important: The law will require your business associates to implement policies that establish administrative and technical safeguards; those associates could face fines or penalties if they breach the HIPAA rules.

"ARRA does not distinguish among business associates,"says attorney Edward Leeds with Ballard, Spahr,Andrews & Ingersoll in Philadelphia. "To the extent that ARRA applies the privacy and security rules to any business associate, it applies them to all business associates,"he says.

However, that doesn't mean that all HIPAA requirements apply to business associates, Leeds says. "That would effectively convert them into covered entities, and ARRA does not follow that path."

In a nutshell, Leeds says, "ARRA does make virtually all of the security requirements contained in the HIPAA regulations applicable to business associates but is more selective with respect to the application of the privacy rules."

Bottom line: "The stimulus package rule extends many of the obligations formerly only applicable to covered entities to all business associates," says attorney Stephen L. Page of Waller, Lansden, Dortch & Davis in Nashville.

Look for the Department of Health and Human Services to issue guidance on the HIPAA requirements on a regular basis, Page says.

Other Articles in this issue of

Health Information Compliance Alert

View All