The requirements of HIPAA compliance have been changed greatly with the ARRA (American Recovery and Reinvestment Act) and the Title XIII of it is called HITECH “Health Information Technology for Economic and Clinical Health” Act. With this latest law introduction, now the business associates are answerable for the security and privacy requirements which were previously necessary only for the covered entities. Additionally, the business associates are also subject to criminal and civil penalties. In the law, there is a provision included that permits the patients to obtain financial recompense for privacy violations.
In this latest federal medical privacy law an extra strength is also added in the enforcement part of the act. The important changes include:
Workforce members and employees, also includes independent contractors, all are subject to civil penalties for violations. It means that individuals are now liable legally. There is also the necessity for HHS to investigate formally about any objections and to enforce civil penalties for disobedience of rules if this disobedience is because of willful neglect. It is a requirement of this law that any monetary settlements or social monetary penalties which arise due to the disobedience of rules will involve the OCR “Office of Civil Rights” for enforcement of security and privacy rules. Social financial penalties now have a tiered system that range from 100$ to 50,000$ depending on offense. The HHS secretary is required to perform periodic audits to assure that the covered business associates and entities are complaint with the new rules. The Attorney General of the state has power to take suit in regional courts for disobedience on behalf of their state residents.
In response to any complaint, the business associates can take some steps. In these steps the first thing is to be sure that you are correctly classified. For instance, you are an independent contractor and a service provider and you are not directly working with the covered entity, it means that you are not business associate. But, you are subcontractor or an agent for the business associate. It is very important for an independent contractor to know if his contract is with the covered entity which makes him a business associate and the all new laws apply on him.
Some things that must be considered are as follows: assigning responsibility for observance to one person. Although you can assign a team to work on observance issues, the name of one person should be the official compliance officer and must be responsible. This person should not be an employee but can be a supervisor or manager. A consultant may be used if you think he works well. But it is required that you someone designated for this position.
Before signing a business associate agreement, you must be sure about both privacy and security rules. Many points are there to be observed about these rules. You must follow the written procedures and policies. You must have an emergency plan for any type of business disturbance. Understand that you are accountable for all the actions of the workforce. It is requirement of the rules to train the workforce and the policy should be documented. For remote workers supervision will be more challenging but possible.