Under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, provisions were passed to expand the scope of HIPAA. HIPAA rules now directly apply to healthcare vendors and their subcontractors. However, covered entities are still likely to be subject to serious consequences for breaches of their confidential data.
Under HITECH, a vendor must notify the covered entity (healthcare organization) after the discovery of a breach of unsecured PHI. The covered entity is responsible for notifying each affected individual. Although a data breach may be directly attributable to a vendor, both covered entity and vendor are at risk for regulatory penalties and reputational damage.
The HIPAA Omnibus Final Rule becomes fully effective September 23, 2013 and makes a number of changes to the required terms and conditions of a business associate agreement:
- All business associates are required to comply with applicable requirements of the Security Rule including implementing a full-blown HIPAA compliance program
- All business associates are required to ensure that their own subcontractors that create, receive, maintain or transmit PHI on their behalf agree to comply with the requirements of the Security Rule and to the same restrictions and conditions that apply to the business associate with respect to such PHI.
- The definition of business associate has been expanded to include organizations that store or manage PHI, even if the business associate does not view the information or only does so on a random or infrequent basis.
- All business associates are required to report breaches of unsecured PHI.
According to HHS Office for Civil Rights Director Leon Rodriguez, “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.” 1