Security Rule. Security standards for the protection of electronic PHI are set forth in the HIPAA Security Rule. Prior to passage of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), business associates were liable only indirectly for their violations of the commitments set forth in a business associate agreement with a covered entity. HITECH obligates business associates to comply with all of the HIPAA Security Rule and many parts of the HIPAA Privacy Rule. Violations of HIPAA requirements by business associates expose those organizations to enforcement actions by the HHS Office for Civil Rights (OCR). HITECH also changed many of the substantive requirements of the Privacy Rule, including adopting more restrictive guidelines to govern marketing activities using PHI. In addition, HITECH gave HIPAA enforcement authority to state attorneys general. The HITECH Act also created an obligation for covered entities, their business associates, and in some cases subcontractors to provide certain notifications in the event the security or privacy of an individual’s PHI has been compromised. These guidelines have been codified in the HIPAA Breach Notification Rule. Application. HIPAA applies to “covered entities” and “business associates” as defined in the regulation 45 C.F.R. § 160.103. It applies to those who transmit PHI electronically as part of certain “standard transactions.” This means that most health care providers who submit claims to health plans, HMOs and other managed care organizations such as doctors, hospitals, insurance companies, and pharmacies are subject to HIPAA. Business associates that create, receive, maintain, or transmit PHI on behalf of covered entities (and subcontractors that engage in similar types of activities on behalf of business associates) are also directly subject to the HIPAA Security Rule and parts of the Privacy Rule. Scope. HIPAA is limited to covered entities over which the United States government has enforcement authority. However, certain business associates of covered entities may have contractual obligations to safeguard PHI, including those operating outside of the United States.
18
Made with FlippingBook - Online Brochure Maker