The good news is that the new HIPAA requirements aren’t quite as bad as the above cartoon, the bad news is that they are going to require some paperwork on your part. And we know how much all of us chiropractors love paperwork! Here’s the skinny:
Covered entities and Business Associates (BA) are required to amend existing BA contracts or negotiate new contracts. Contracts executed prior to the HITECH Act do not comply with the interim breach notification rule or the new BA-related statutory requirements. The breach notification requirements for BAs became effective September 23, 2009, and many of the other BA-related requirements become effective February 17, 2010.
Are Chiropractors Covered Entities?
The first question most chiropractors will ask is: “Am I a covered entity?” Put simply, if you conduct transactions in electronic form, you are a covered entity. Examples include billing electronically (or through a clearinghouse), using any electronic storage media, etc. Most chiropractors are likely considered covered entities. If you are in doubt, see Medicare’s Covered Entity Chart to help you determine this.
What is a Business Associate?
In chiropractic, we tend to define an associate as the DC who is an employee and who helps us care for our patients. The HIPAA definition, however, is much broader than that. In fact, the HIPAA Business Associate refers to non-employees with whom you do business and who use or have potential access to Protected Health Information (PHI). Common examples of BAs may include: electronic clearinghouses, billing companies, transcriptionists, accountants, etc. For more information and official definitions on Business Associates, go to the Department of Health & Human Services Business Associate page.
Why New Contracts?
As you may know, there was a changing of the guard last year and the Office Of Civil Rights now administers HIPAA per the HITECH Act of 2009. Also, included in that provision was mandatory HIPAA audits.
One simple way an organization can see how much monitoring needs to be done is to throw out a new change and see how well we comply. In other words, new contract + monitoring = lots of money generated in fines for the new organization.
Forgive my cynicism, I am sure that there may be other motives. However, in the meantime, you need an updated BA contract by February 17, 2010…or else.
In case you are not motivated by the “or else” threat, here are some details:
What’s Changed in the new HIPAA Business Associate Agreement?
• Establishes criminal and civil penalties for non-compliance
• Now applies privacy & security rules DIRECTLY to BAs
• Establishes mandatory breach reporting for CEs and BAs
The Hit to Your Wallet
If the threat of jail time is not enough for you (hey, I guess some people might appreciate the alone time), here are some threats to your bank account you might not like:
Penalties will be determined by nature and extent of both the violation and the harm resulting from the violation, so they could be substantial. Civil monetary penalties have tiered increases to progressively punish offenders.
Tier 1: Unintentional or inadvertent violation – At least $100 for each violation, but no more than $25,000
Tier 2: Reasonable cause, but no willful neglect – At least $1,000 for each violation, but no more than $100,000
Tier 3: Willful neglect, but violation is corrected – At least $10,000 for each violation, but no more than $250,000
Tier 4: Willful neglect, violation not corrected – At least $50,000 for each violation, but no more than $1,500,000
What is required?
- Make a list of your current business associates and vendors
- Identifying entities with which your practice shares PHI because these BA’s are subject to the same privacy and security rules as Covered Entities
- Drafting new legal agreements for BAs to comply with the HITECH Act
- Updating HIPAA privacy & security policies and procedures (including the creation or modification of existing Breach Notification Policies). See Dept of HHS Breach Notification Policies page for more info.
The Bottom Line
You will kick yourself for getting fined for this new rule. Save the time in emailing me your angry thoughts, I probably agree with you and you’re screaming at the messenger anyway, which is not terribly productive.
Here are your options:
Have your attorney draft a Business Associate Agreement for you. Search the internet for an agreement that is up-to-date (be sure that the agreement mentions the HITECH Act of 2009! Most that I have seen online are outdated and refer to the HIPAA rules of 2006) and relative to what we do as chiropractors (I have seen ones that are 23 pages long!).
For those who’d like to save time and searching, you can obtain a copy of my Sample Business Associate Agreement that I use with my clients, updated for the recent HITECH Act changes. Simply, open the Word Document, change the names and any relevant info to your clinic and you are on your way! For those who would like to have an attorney review your document, this will save you time and money from having them draft one from scratch.
Anyway you slice it, be sure to act on this promptly as the deadline is approaching!
Best,
Tom Necela, DC
Legal Disclaimer: Every reasonable effort has been made to ensure the accuracy of the information and recommendations provided in respect to the Business Associate Agreement. However, due to the nature of changing payer requirements and state regulations, you may wish to seek advice from a local health care attorney to ensure that the use of the Business Associate Agreement is compliant with your state laws.
Related posts: