Insureon Blog

HIPAA Has Teeth: What Accountants, Lawyers, and Other Professionals Need to Know When Working with Clients in Healthcare

23. October 2013 16:43

Man shocked at the enormity of his data liability

Since the Affordable Care Act "went live" on October 1, the main headlines have been about how individuals can secure coverage, how the websites for securing coverage have been (mal)functioning, and how debate over the law will affect future Congressional negotiations on funding.

If you own a business, however, the ACA (commonly called Obamacare) comes with a much more important headline: it could mean serious new liability exposures for your business. Here's a breakdown of where those exposures exist, how to stay in compliance with the newly stringent HIPAA enforcement requirements, and how to protect your business from expensive fines and penalties for HIPAA violations.

HIPAA, Meet HITECH

When the Health Insurance Portability and Accountability Act (HIPAA) took effect in 1996, it introduced privacy measures to protect Americans' sensitive health-related data. But critics insisted that HIPAA "had no teeth," a complaint they backed by noting that the only avenue people had for challenging violations of the privacy law was to report alleged violations with the department of Health and Human Services (HHS).

HHS was notoriously slow to respond to complaints and built up a significant backlog, meaning that Americans had few avenues to challenge HIPAA's privacy law.

In 2009, as part of the American Recovery and Reinvestment Act (ARRA), Congress introduced the "teeth" HIPAA needed to make it more effective. Those teeth took the form of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The HITECH provisions…

So how does all this apply to you? In addition to the increased fines for data privacy violations, HITECH expands the definition of "HIPAA-covered entities" to include healthcare businesses and any of their "business associates."

Who Counts as a Business Associate?

Under HITECH, any business that works with a HIPAA-covered business (i.e., a business in the healthcare sector) is subject to HIPAA's data privacy guidelines. Translation: you could be on the hook for meeting HIPAA data privacy guidelines if your business provides any of the following services to a HIPAA-covered entity…

Why? Because according to the standards of HIPAA and HITECH, all entities that have access to sensitive healthcare information must meet the law's strict protection guidelines.

Legal Compliance for Business Associates

The good news about HITECH's strict new data security guidelines is that the HHS website has extensive resources outlining how businesses can update their contracts to come into compliance. The bad news? Those guidelines don't outline any of the protections business associates can put in place to manage the many liabilities they're exposed to by working with healthcare clients.

For example, the HHS website's sample contract includes this language:

"Reliance on this sample may not be sufficient for compliance with State law, and does not replace consultation with a lawyer or negotiations between the parties to the contract."

Even more significant? There's no chance for a small business to fly under the radar if its compliance efforts aren't up to par.

That's because HITECH also introduces a provision that requires HHS to conduct random audits of HIPAA-covered entities and their business associates to verify that all parties are in compliance with HITECH data protection standards. Those that aren't in compliance could face fines similar to those levied on businesses that enable a breach.

If you're thinking "Yikes" right about now, don't worry: that means you understand how disruptive the combination of HITECH and ACA could be to your business.

Think of it this way: with health insurance mandated for every American, the number of businesses providing healthcare is going to increase significantly. As more businesses provide healthcare services to more people, they'll hire more professionals to do their taxes, negotiate their contracts, settle their lawsuits, set up their email systems, fix their software, and do hundreds of other tasks that offer their business associates access to sensitive healthcare information.

Risk Management & Financial Protection for Business Associates: Beyond the Contract Requirements

So what can you do to make sure your business is not only in compliance with HITECH guidelines but also financially prepared to deal with HITECH fines if you're victimized by a data breach and compromise protected health information?

For starters, you can recognize the two major liabilities your work with HIPAA-covered entities exposes you to.

In addition to HITECH fines for cyber liability violations, you could face lawsuits over failure to protect sensitive client data. Similarly, professional liability mistakes could lead to costly legal action.

The good news is that there are business insurance policies designed specifically to guard against these exposures. Cyber Liability Insurance (also called Data Breach Insurance) guards you by covering the costs of…

Professional Liability Insurance (also called Errors & Omissions Insurance) covers the cost of…

So What Counts as a Data Breach?

One final point that business owners with healthcare clients need to keep in mind: data breaches are everywhere.

While many of us think of a data breach as a large-scale hacking incident carried out by some sinister cyber criminal, the truth is that data breaches are much more common — and often more mundane. For example: earlier this year, Affinity Health Plan, Inc. was fined $1.2 million under HITECH rules for returning a leased photocopier to the leasing agent without erasing patient data stored on the machine's hard drive.

No outside forces accessed the data illegally, and the fine was levied merely because Affinity's actions made possible the exposure of patient information. What's more, the breach was only discovered when CBS bought one of the photocopiers specifically to investigate the degree to which Affinity had adhered to HIPAA data privacy guidelines.

So if you're a business associate to a HIPAA-covered entity, you risk facing sky-high data breach fines if you fail to…

The Bottom Line: HITECH Means High Stakes for Healthcare Business Associates

The implementation of the Affordable Care Act means exciting and potentially lucrative new opportunities for professionals in a variety of service fields. But HITECH's revisions to HIPAA means that these opportunities come with a significant increase in risk exposure. Manage your risks and reduce your liabilities by reviewing HITECH guidelines, consulting with your attorney, and updating your business insurance policies.

how is your business exposed

Tags:

Accountants & Bookkeepers | HIPAA | Lawyers

Permalink | Comments (0)