HIPAA Requirements for business associates

In keeping with the growing privacy and security compliance as per the American laws, business associates are immediately required to comply directly with many of the HIPAA’s rules. If as a business associate, you fail to comply with these rules, you are subject to civil and criminal penalties, including a provision that allows individuals to receive financial compensation for the violation. With passage of the American Recovery and Reinvestment Act (ARRA), other remedial actions have also been expanded such as increasing federal government audits; granting attorneys fees in some HIPAA lawsuits; and allowing a method for individuals to recover penalties under HIPAA.

A business associate shall have the following tasks on his list in order to comply with the law-

* Appointing a Security Official.
* Developing written policies and procedures, including physical safeguards, (such as locking computers that contain EPHI), and technical safeguards (such as encrypting emails).
* Training workforce on how to protect electronic protected health information (“EPHI”).

If you violate EPHI for a reasonable cause and not with willful neglect, your penalty per violation would be $1,000. If there is a reasonable cause, corrected, the penalty is $25,000 per violation and maximum $2,50,000 per year. For reasonable cause, uncorrected, the penalty is $50,000 per violation and a maximum of $1,500,000 per year.

Also, with immediate effect

* You are required to notify each individual affected by a security breach by mail, or if specified as preference, by email.
* If you don’t have contact information for that individual, you may be required to post notice of the breach on your website, in newspapers, or other broadcast media.
* For breaches involving more than 500 residents in one area, you must notify a “prominent media outlet.”
* You also must contact the Department of Health and Human Services. DHHS is establishing a website listing these breaches. There is an exception for certain unintentional breaches. Consult a health law attorney if you have any questions or concerns about building your policies and procedures, or tasks assigned to the Security Official.