The new HIPAA Omnibus Regulations can be a daunting read, but contained within those 563 pages are extensive changes regarding how healthcare providers and their respective collection agency partners handle patient data.
insidePatientFinance.com has distilled the relevant regulations covering the relationship between providers (“covered entities” in the regulations) and collection partners (“business associates”) into a single 21-page document that you can download here (PDF, registration required): (You must be logged in to download this file. Don't have an account? Register for free and you'll be returned to this page.)
Below are five changes contained in the regulations that you need to know today:
1. “Business associates,” such as collection agencies, are now as much on the hook for violating patient privacy laws as providers. (See page 92 of the full regulations, which you can find a link from which to download below.)
2. If business associates have subcontractors that come in contact with protected patient data, the business associate will be required to have a business associate agreement with them. Providers, however, will not be required to have business associate agreements with the subcontractors of business associates. (p. 136)
3. The new regulations require potentially extensive changes to current business associate agreements. In light of all the negotiating required to get all these agreements in place, the new regulations provide a grace period of one year — provided that a business associate agreement already exists. (p. 149)
4. The current contractual relationship between business associate and their respective subcontractors will be allowed the one-year grandfathering provision provided that the business associate is compliant with the previous law which requires the business associate ensure that its agents with access to protected health information agree to the same restrictions and conditions that apply to the business associate. (p. 151)
5. The new regulations contain higher penalties for breaches and other violations. What is important to know is that any violation that occurred on or after February 18, 2009, will be subject to the new penalties. (p. 71)
You can download the entire omnibus final rule here (PDF, registration required): (You must be logged in to download this file. Don't have an account? Register for free and you'll be returned to this page.)