November 19, 2009

If your business handles patient or employee medical information, then you need to update your policies and procedures to ensure compliance with recent amendments to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Employers that handle medical information about patients as part of their business, self-insure health insurance plans for their employees, or sponsor a health insurance plan for their employees (but do not use an insurer or third-party administrator to process health insurance claims) are all considered "covered entities" under HIPAA. Any companies that receive medical information about patients from other parties are considered "business associates."

Previously, HIPAA's strict confidentiality and computer security requirements applied only to covered entities, which had to enter into so-called "business associate agreements" with any other company to which they disclosed patient or employee health information. These third parties, or business associates, promised the covered entity that they would keep the patient information confidential, but were not directly subject to HIPAA's regulations or penalties.

That has all changed under the recent HIPAA amendments.

Effective in February 2010, HIPAA's security requirements and financial penalties apply directly to both business associates and covered entities. As a result, business associates must now comply with HIPAA's strict confidentiality and computer security requirements. Violators are subject to government-imposed fines of up to $1.5 million if the violations are willful and continue for more than 30 days.

The HIPAA amendments also:

  • Allow state attorneys general to bring HIPAA enforcement actions. Previously, only the federal government could bring such actions.

  • Provide financial rewards to whistleblowers who report HIPAA violations to federal or states governments. This financial incentive puts all covered entities and business associates at far greater risk.

  • Require employers that discover a HIPAA violation to affirmatively disclose that violation to the government and, if it affects 500 or more people, to the media.

In light of these important changes, all covered entities and business associates should review their HIPAA policies, procedures and agreements in advance of the February 2010 effective date to help ensure that they comply with the new amendments.

This article contains material of general interest and should not be construed as legal advice or a legal opinion on any specific facts or circumstances. Under applicable rules of professional conduct, this content may be regarded as attorney advertising.