By Jonathan P. Tomes
The so-called HITECH Act1 and its implementing regulation, the Omnibus Rule,2 have dramatically changed HIPAA's3 rules and liability for HIPAA violations.
Areas of change that lawyers should be aware of are increased criminal and civil liability for HIPAA violations and changes in the rules governing business associates, simplistically defined as those who provide a service for a covered entity,4 such as a physician practice or hospital, involving individually identifiable health information.5 A lawyer defending a physician against a malpractice allegation is but one example of a business associate.
The HITECH Act greatly expanded HIPAA's criminal liability. Before the Act, HIPAA's criminal liability applied only to covered entities. The Act, however, expanded liability to employees of covered entities and other individuals, as follows:
For purposes of the previous paragraph [HIPAA crimes], a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part [the HIPAA crimes] if the information is maintained by a covered entity ... and the individual obtained or disclosed such information without authorization.6
A recent conviction of a hospital visitor for taking records from a Birmingham, Alabama, hospital to use to commit identity theft shows just how broad the expansion to "other individuals" is. The federal court sentenced her to 15 months in prison.7 If a hospital visitor can commit a criminal HIPAA violation, who can't?
Perhaps even more germane to lawyers, the Act expanded HIPAA's criminal and civil liability to business associates. Thus, business associates not only may be indicted for a violation of 42 U.S.C. 1320d-6, but also are subject to HIPAA's civil money penalties, which can reach as high as $50,000 per violation,8 and to a lawsuit in federal court.9 The first such lawsuit against a business associate (a debt collection service), which must be brought on behalf of the aggrieved individual by the state attorney general, settled for $2.5 million.10
Before the Act, the business associate only had to comply with the terms of the business associate agreement that the covered entity was required to get in place before using the service involving the use or disclosure of protected health information (PHI) with certain required contents.11 All such contracts required that the business associate implement reasonable and appropriate safeguards to protect PHI and to only use and disclose PHI in a manner authorized in the agreement, along with certain ministerial duties. Now, business associates must comply with the Security and Privacy Rules and other requirements to the same extent as covered entities.12
Thus, under the HITECH Act, business associates now are effectively, if not legally, covered entities. Even if that statement seems too broad, business associates clearly face the same civil and criminal liability as do covered entities and have to do most things that covered entities do.13 So now, for example, a business associate maintaining or transmitting individually identifiable health information under a business associate contract will have to conduct a risk analysis, have a destruction plan, train staff on HIPAA and the like.14
...login to read the rest of this article.