how the new hiPaa regulations affect billing companies and their subcontractors as business associates By Robert A. Polisky, Esq. DEVELOP AN ACTION PLAN FOR YOUR COMPANY AND SUBCONTRACTORS On January 25, 2013, the Office for Civil Rights final rule includes subcontractors that create, receive, of the U.S. Department of Health & Human Services (OCR) published the anticipated final omnibus rule (the Final Rule). This rule created significant changes to the Privacy, Security, Breach Notification, and Enforcement Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), many of which are required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The Final Rule also implements changes to the Genetic Information Nondiscrimination Act of 2008. the scope of the final rule is extensive, and enhances ocr’s ability to enforce hiPaa. in the press release announcing the final rule, ocr director leon rodriguez proclaimed that the final rule “marks the most sweeping changes to the hiPaa Privacy and security rules since they were first implemented” and “strengthens the ability of my office to vigorously enforce the hiPaa privacy and security protections….” individuals and entities affected by the final rule must comply with most of its provisions by september 23, 2013. this article addresses key provisions of the final rule applicable to billing companies and their subcontractors, enforcement changes, and recommended action items needed for compliance by billing companies and their subcontractors. KEY PROVISIONS BUSINESS ASSOCIATES AND THEIR SUBCONTRACTORS Expanded Definition of “Business Associate” the final rule expands the definition of a “business associate” to include any individual or entity that creates, receives, maintains, or transmits protected health information (Phi) on behalf of a covered entity. companies that code, bill, and/or collect claims on behalf of a health care provider (i.e., a covered entity), are business associates under hiPaa. notably, the 12 hbma billing • may. june.2013 maintain, or transmit Phi on behalf of a business associate as business associates themselves. thus, any subcontractors that a billing company engages to assist in coding, billing, or collections, and any subcontractors that store or transmit any healthcare records on the billing company’s behalf, are business associates of the billing company. Direct Liability as business associates, the final rule requires billing companies and their subcontractors to comply with the security rule’s administrative, physical, and technical safeguard requirements as well as with the security rule’s policies and procedures and documentation requirements. these requirements apply to business associates in the same manner as they apply to covered entities, such that billing companies and their subcontractors can be held civilly and criminally liable for violations of these requirements. similarly, the final rule applies certain Privacy rule requirements to business associates and establishes direct liability of business associates for violations of these requirements. a billing company does not need to provide a notice of privacy practices or designate a privacy official unless the covered entity designated such a responsibility in the billing company’s business associate agreement. specifically, billing companies and their subcontractors, as business associates, have direct civil and criminal liability exposure for the following items. 1. impermissible uses and disclosures of Phi 2. failure to provide breach notification to the covered entity 3. failure to provide access to a copy of electronic Phi to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) 4. failure to disclose Phi to ocr where required by ocr
Billing_MJ13
To see the actual publication please follow the link above