Under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, provisions were passed to expand the scope of HIPAA. HIPAA rules now directly apply to healthcare vendors and their subcontractors. However, covered entities are still likely to be subject to serious consequences for breaches of their confidential data.
Under HITECH, a vendor must notify the covered entity (healthcare organization) after the discovery of a breach of unsecured PHI. The covered entity is responsible for notifying each affected individual. Although a data breach may be directly attributable to a vendor, both covered entity and vendor are at risk for regulatory penalties and reputational damage.
The HIPAA Omnibus Final Rule becomes fully effective September 23, 2013 and makes a number of changes to the required terms and conditions of a business associate agreement:
According to HHS Office for Civil Rights Director Leon Rodriguez, “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.” 1