Since the Affordable Care Act "went live" on October 1, the main headlines have been about how individuals can secure coverage, how the websites for securing coverage have been (mal)functioning, and how debate over the law will affect future Congressional negotiations on funding.
If you own a business, however, the ACA (commonly called Obamacare) comes with a much more important headline: it could mean serious new liability exposures for your business. Here's a breakdown of where those exposures exist, how to stay in compliance with the newly stringent HIPAA enforcement requirements, and how to protect your business from expensive fines and penalties for HIPAA violations.
HIPAA, Meet HITECH
When the Health Insurance Portability and Accountability Act (HIPAA) took effect in 1996, it introduced privacy measures to protect Americans' sensitive health-related data. But critics insisted that HIPAA "had no teeth," a complaint they backed by noting that the only avenue people had for challenging violations of the privacy law was to report alleged violations with the department of Health and Human Services (HHS).
HHS was notoriously slow to respond to complaints and built up a significant backlog, meaning that Americans had few avenues to challenge HIPAA's privacy law.
In 2009, as part of the American Recovery and Reinvestment Act (ARRA), Congress introduced the "teeth" HIPAA needed to make it more effective. Those teeth took the form of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The HITECH provisions…
- Require HIPAA-covered entities to maintain specific physical, administrative, and digital data protection mechanisms.
- Mandate that any breaches of patient information be reported to affected parties in a timely manner.
- Mandate that any breaches of 500+ patient records be reported to HHS and the media.
- Require HIPAA-covered entities to demonstrate "meaningful use" of electronic patient records and that they give patients access to their records within 30 days of a request.
- Significantly increase the fines for HIPAA-covered entities that violate data privacy standards.
So how does all this apply to you? In addition to the increased fines for data privacy violations, HITECH expands the definition of "HIPAA-covered entities" to include healthcare businesses and any of their "business associates."
Who Counts as a Business Associate?
Under HITECH, any business that works with a HIPAA-covered business (i.e., a business in the healthcare sector) is subject to HIPAA's data privacy guidelines. Translation: you could be on the hook for meeting HIPAA data privacy guidelines if your business provides any of the following services to a HIPAA-covered entity…
- Accounting, bookkeeping, or tax preparation.
- Legal services.
- IT services.
- Any other services that give you access to protected healthcare information (PHI).
Why? Because according to the standards of HIPAA and HITECH, all entities that have access to sensitive healthcare information must meet the law's strict protection guidelines.
Legal Compliance for Business Associates
The good news about HITECH's strict new data security guidelines is that the HHS website has extensive resources outlining how businesses can update their contracts to come into compliance. The bad news? Those guidelines don't outline any of the protections business associates can put in place to manage the many liabilities they're exposed to by working with healthcare clients.
For example, the HHS website's sample contract includes this language:
"Reliance on this sample may not be sufficient for compliance with State law, and does not replace consultation with a lawyer or negotiations between the parties to the contract."
Even more significant? There's no chance for a small business to fly under the radar if its compliance efforts aren't up to par.
That's because HITECH also introduces a provision that requires HHS to conduct random audits of HIPAA-covered entities and their business associates to verify that all parties are in compliance with HITECH data protection standards. Those that aren't in compliance could face fines similar to those levied on businesses that enable a breach.
If you're thinking "Yikes" right about now, don't worry: that means you understand how disruptive the combination of HITECH and ACA could be to your business.
Think of it this way: with health insurance mandated for every American, the number of businesses providing healthcare is going to increase significantly. As more businesses provide healthcare services to more people, they'll hire more professionals to do their taxes, negotiate their contracts, settle their lawsuits, set up their email systems, fix their software, and do hundreds of other tasks that offer their business associates access to sensitive healthcare information.
Risk Management & Financial Protection for Business Associates: Beyond the Contract Requirements
So what can you do to make sure your business is not only in compliance with HITECH guidelines but also financially prepared to deal with HITECH fines if you're victimized by a data breach and compromise protected health information?
For starters, you can recognize the two major liabilities your work with HIPAA-covered entities exposes you to.
- Cyber Liability: This is a biggie. It refers to your legal responsibility to keep all digital information secure. Every state has its own cyber liability laws regarding "ordinary" information, but HIPAA and HITECH are the only federal laws that regulate the privacy of protected health information. If you don't uphold your responsibilities for keeping patient information private, you could face fines and penalties from both your state and the federal government. Under the new HITECH guidelines, federal fines for data breaches can total $1.5 million per year — up from a $25,000 annual total before HITECH.
- Professional Liability: If your professional work involves handling sensitive client data (such as SSNs, credit card info, tax information, medical information, etc.), letting that information get into the wrong hands (or merely failing to protect that information according to HITECH's standards) exposes you to professional liability — that is, responsibility for not properly carrying out your job.
In addition to HITECH fines for cyber liability violations, you could face lawsuits over failure to protect sensitive client data. Similarly, professional liability mistakes could lead to costly legal action.
The good news is that there are business insurance policies designed specifically to guard against these exposures. Cyber Liability Insurance (also called Data Breach Insurance) guards you by covering the costs of…
- Alerting affected parties that their records have been breached.
- Paying state or federal fines.
- Launching a PR or advertising campaign to restore public trust in your company.
- Investigating the data breach, how it happened, and who's responsible.
Professional Liability Insurance (also called Errors & Omissions Insurance) covers the cost of…
- Lawyer's bills for mounting a legal defense of your business and its practices.
- Court fees (including docket fees, evidence fees, expert witness fees, and more).
- Settlements or judgments.
So What Counts as a Data Breach?
One final point that business owners with healthcare clients need to keep in mind: data breaches are everywhere.
While many of us think of a data breach as a large-scale hacking incident carried out by some sinister cyber criminal, the truth is that data breaches are much more common — and often more mundane. For example: earlier this year, Affinity Health Plan, Inc. was fined $1.2 million under HITECH rules for returning a leased photocopier to the leasing agent without erasing patient data stored on the machine's hard drive.
No outside forces accessed the data illegally, and the fine was levied merely because Affinity's actions made possible the exposure of patient information. What's more, the breach was only discovered when CBS bought one of the photocopiers specifically to investigate the degree to which Affinity had adhered to HIPAA data privacy guidelines.
So if you're a business associate to a HIPAA-covered entity, you risk facing sky-high data breach fines if you fail to…
- Properly store or dispose of hardware that contains Protected Health Information.
- Maintain mandated safety measures (administrative, digital, and physical).
- Prevent an actual hacking incident to your system.
The Bottom Line: HITECH Means High Stakes for Healthcare Business Associates
The implementation of the Affordable Care Act means exciting and potentially lucrative new opportunities for professionals in a variety of service fields. But HITECH's revisions to HIPAA means that these opportunities come with a significant increase in risk exposure. Manage your risks and reduce your liabilities by reviewing HITECH guidelines, consulting with your attorney, and updating your business insurance policies.