hiPaa January 25, 2013, the Office for Civil Rights ruling (OCR) of the Department of Health and Human Services (HHS) published its Final Rule of On modifications to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in accordance with the Health Information Technology for Economic and Clinical Health Act (HITECH) and Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA). the stated purpose of the final rule is to both “strengthen the privacy and security protections” established under hiPaa and to “increase flexibility for and decrease burden on the regulated entities.” the final rule amendments can be found in 45 code federal regulations Parts 160 and 164. the amendments became effective on march 26, 2013 and will be enforced by the ocr beginning september 23, 2013. the final rule implements most of the revisions to the Privacy and security rule of hiPaa that were proposed in the interim final rules published in 2009. it is expansive and this article will address just a few of the amendments affecting health care providers. Business Associates Direct Liability Prior to the final rule, providers were required to enter into business associate agreements with contractors to whom they divulged protected health information (Phi). although a business associate agreement is still required, the final rule makes business associates directly liable for violations of certain hiPaa provisions. the proposed rule’s discussion of “downstream contractors” and “vicarious liability” had many providers fearful that they would be liable for a business associate’s (or that business associate’s business associate) failure to comply with hiPaa. the final rule clarified that providers do not need to enter into business associate agreements with 18 hbma billing • may. june.2013 the contractors of its business associates. each business associate itself is responsible for ensuring its contractors protect patient privacy when entering into the applicable business associate agreement. for example, a physician’s office that contracts with a medical billing company should have a business associate agreement with the billing company, but does not need to have a business associate agreement with the collection agency the billing company has hired. instead, the billing company is responsible for entering into a business associate agreement with that collection agency. Keep in mind, however, the final rule maintained the agency’s ability to assess liability against an agent under the legal theory of vicarious liability as it is interpreted under the federal common law of agency. this essentially means that if a provider controls the business associate, it may be held responsible for the business associate’s failure to comply. Increased Penalties for Non-Compliance the penalties for non-compliance remain as they were proposed in 2009. there are four levels of civil monetary penalties, ranging from $100 to $1,500,000. the amount of the civil monetary FINAL HELP YOUR CLIENTS LEARN SOME OF THE NUANCES By Connie Ditto, Esq.
Billing_MJ13
To see the actual publication please follow the link above