February 12, 2013

The Final Rule modifying HIPAA and other statutes promulgated on January 25, 2013 is chock-full of changes required for your maintenance, use and disclosure of PHI.  In fact, the changes even change the definition of PHI.

As a sampling of a new area of exposure and new requirements, under the Final Rule, a covered entity is now explicitly liable for the acts or omissions of its agents, including a member of its workforce OR Business Associate.  This change was made, as explained in the Federal Register, to run in accordance with the Federal common law of agency.  So what does this mean?  Well, it means if your billing company, who qualifies as a Business Associate (required to have a contract with all BAs!), improperly uses or discloses PHI and is now subject to required penalties (also new), you, as the covered entity (Practice) are responsible for same.  

This level of responsibility does not extend should the Business Associate subcontract out work.  However, the Business Associate
  is liable, in accordance with the Federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the business associate, including a workforce member or subcontractor, acting within the scope of the agency.  See  45 CFR 160.402.

Because you may now be exposed to a Business Associate's liability it is especially important to ensure you have a proper agreement that addresses shifting of responsibility or fault upon a breach, which under the Final Rule you are allowed to do, whether through indemnification or other avenue.   Addressing your Business Associate relationships is one step in updating your practice with proper HIPAA documents that will be required prior to the Final Rule's compliance deadline - September 23, 2013.  Other required steps include updating your HIPAA privacy policies, compliance with maintenance of electronic PHI, implementing required safeguards, as well as developing an understanding of your new practice obligations. 

To discuss your practice's compliance needs to prepare for September 23, 2013, schedule a consult with me by sending me an email at Jennifer@Kirschenbaumesq.com