The Impact of Recent HIPAA Changes The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, contains a number of changes to the regulations of the Health Insurance Portability and Accountability Act (HIPAA). To remain HIPAA-compliant, speech-language pathologists and audiologists who are “covered entities” (health ... Bottom Line
Free
Bottom Line  |   July 01, 2010
The Impact of Recent HIPAA Changes
Author Notes
  • Kate Romanow, director of health care regulatory advocacy, can be reached at kromanow@asha.org.
    Kate Romanow, director of health care regulatory advocacy, can be reached at kromanow@asha.org.×
Article Information
Practice Management / Bottom Line
Bottom Line   |   July 01, 2010
The Impact of Recent HIPAA Changes
The ASHA Leader, July 2010, Vol. 15, 3. doi:10.1044/leader.BML.15082010.3
The ASHA Leader, July 2010, Vol. 15, 3. doi:10.1044/leader.BML.15082010.3
The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, contains a number of changes to the regulations of the Health Insurance Portability and Accountability Act (HIPAA). To remain HIPAA-compliant, speech-language pathologists and audiologists who are “covered entities” (health care providers who conduct certain financial and administrative transactions electronically) should be aware of several HIPAA changes now in effect.
Security Breach Notifications
A covered entity must notify affected individuals following the discovery of a breach of unsecured protected health information (PHI). If a covered entity discovers a breach, it must provide written notice to the individual without “unreasonable delay” and within 60 days after the discovery of the breach. A business associate must follow the same timeline to notify the covered entity when it discovers a breach.
Right to Request PHI Restriction
Under HIPAA, an individual has the right to request that the covered entity restrict the use and disclosure of his or her PHI for treatment, payment, or health care operations. Prior to the HITECH Act provisions, a covered entity did not have to agree to a restriction; now, however, if an individual pays for a service out-of-pocket, the covered entity must grant the individual’s request for restrictions on the use and disclosure of PHI related to that service for payment or health care operations.
Business Associates
The HIPAA security standards that apply to covered entities also now apply to business associates (individuals or corporations that perform any function involving the use or disclosure of PHI on behalf of the covered entity and are not a member of the covered entity’s workforce). Previously, business associates were liable for breach of contract only if they did not comply with certain security requirements included in the business associate agreement. Now, business associates are required to comply with the HIPAA security standards and are subject to the same criminal and civil penalties that apply to covered entities if they do not. These new requirements must be added to the business associate agreement.
Business associates also are required to comply with the privacy obligations outlined in the business associate agreement. If a business associate violates those privacy provisions, the business associate is not only liable for a breach of contract, but also is subject to civil and criminal penalties.
Finally, if a business associate becomes aware that the covered entity has breached its obligations under the business associate agreement, the business associate must take steps to cure the breach. If this is not possible, the business associate must then either terminate the agreement or report the covered entity to the Department of Health and Human Services. (The covered entity already has the same obligation regarding a business associate’s breach of the agreement.) The business associate agreement should be amended to reflect this new obligation.
0 Comments
Submit a Comment
Submit A Comment
Name
Comment Title
Comment


This feature is available to Subscribers Only
Sign In or Create an Account ×
FROM THIS ISSUE
July 2010
Volume 15, Issue 8