HHS Office of Civil Rights Enforcement Efforts Targets Business Associates
According to an article in Modern Healthcare (3/21, Conn, Subscription Publication), the Department of Health and Human Services (HHS) Office for Civil Rights is changing its privacy and security auditing process per the American Recovery and Reinvestment Act of 2009’s health IT rules. The revised enforcement process, “will target the business associates of healthcare providers, insurers and other HIPAA-covered entities along with the entities themselves.”
Beyond expanding the scope of privacy and security provisions, the 2009 stimulus bill required that HHS conduct compliance audits, and “placed the businesses that do data handling, processing and analysis in healthcare on the same legal footing as the hospitals, physicians, insurance companies and claims clearinghouses they work for.” For this reason, business associates should ensure that they have the appropriate HIPAA Privacy and Security policies and procedures that provide the requisite administrative, physical, and technical safeguards for the PHI that they use, access, or disclose. In the event of a breach, business associates of a covered entity will be subject to the same enforcement related penalties as covered entities.