On Jan. 25, 2013, the Department of Health and Human Services (HHS) published the “Final Rule” modifying the regulations under the Health Insurance Portability and Accountability Act (HIPAA). The Final Rule, which took effect on March 26, 2013, modified the standards previously set forth in the Privacy Rule, the Security Rule and the Enforcement Standards, and implemented statutory amendments under the Health Information Technology for Economic and Clinical Health (HITECH) Act by modifying the interim Breach Notification Rule. This article examines the Final Rule’s impact on business associates, such as certain third party administrators, consultants and accountants, and offers practical steps for compliance with the Final Rule by the Sept. 23, 2013, deadline.
The financial and operational impact on business associates will be significant because the Final Rule allows, for the first time, HHS Office for Civil Rights (OCR) to regulate business associates. OCR may now directly impose civil monetary penalties (CMPs) on business associates for non-compliance with HIPAA and its underlying regulations. CMPs can range from $100 to $50,000 per violation, with a cap of $1.5 million per year for multiple violations of identical HIPAA provisions in a calendar year. In addition, the business associate and certain employees, such as directors, employees or officers, may be subject to criminal penalties, including financial penalties and imprisonment. The Final Rule also expands the definition of “business associate” to capture additional individuals and entities that have access to protected health information (PHI). Unlike traditional covered entities, these new business associates are often smaller operations without an existing HIPAA-compliant infrastructure.