HIPAA Changes in the HITECH Act of 2009: Application of Security Provisions and Penalties to Business Associates of Covered Entities

House bill Sec. 4401
Senate bill Sec. 13401
Conference agreement Sec. 13401

This text is from the Conference Committee Report

Current Law

The Security Rule promulgated pursuant to the Health
Insurance Portability and Accountability Act (HIPAA) include
three sets of safeguards: administrative, physical, and
technical, required of covered entities (providers, health
plans and healthcare clearinghouses). Administrative
safeguards include such functions as assigning or delegating
security responsibilities to employees, as well as security
training requirements. Physical safeguards are intended to
protect electronic systems and data from threats,
environmental hazards, and unauthorized access. Technical
safeguards are primarily IT functions used to protect and
control access to data.

HIPAA permits business associates (those who perform
business functions for covered entities) to create, receive,
maintain or transmit electronic health information on behalf
of that covered entity, provided the covered entity receives
satisfactory assurance in the form of a written contract that
the business associate will implement administrative,
technical, and physical safeguards that reasonably and
appropriately protect the information.

Violations cannot be enforced directly against business
associates. Although providers and health plans are not
liable for, or required to monitor, the actions of their
business associates, if it finds out about a material breach
or violation of the contract by a business associate, it must
take reasonable steps to remedy the situation, and, if
unsuccessful, terminate the contract. If termination is not
feasible, the covered entity must notify HHS.

House Bill

The House bill would apply the HIPAA security standards and
the civil and criminal penalties for violating those
standards to business associates in the same manner as they
apply to the providers and health plans for whom they are
working. It also would require the Secretary, in consultation
with stakeholders, to issue annual guidance on the most
effective and appropriate technical safeguards, including the
technologies that render information unusable, unreadable, or
indecipherable recommended by the HIT Policy Committee, for
protecting electronic health information.

Senate Bill

Same provision, but without any reference to recommended
safeguard technologies standards.

Conference Agreement

The conference agreement includes language contained in the
House bill.

 

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.