|
|
|
|
New HIPAA Rules May Hit Payment Firms |
|
|
|
The American Recovery and Reinvestment Act -- the formal title for the stimulus bill recently signed by President Barack Obama -- contains surprising modifications to HIPAA's Privacy and Security Rules, according to health care industry analysts. Some of those rule modifications may well change the way payment companies in the health care vertical market are regulated.
The new law, for the first time, requires business associates (including payment companies) to comply directly with many of HIPAA's rules and subjects business associates to HIPAA’s civil and criminal penalties. The Act increases the penalties for various HIPAA violations and dramatically expands other remedial actions (such as increasing federal government audits; granting attorneys fees in some HIPAA lawsuits; and allowing a method for individuals to recover penalties under HIPAA).
Security Rules Apply Directly to Business Associates. For the first time, business associates must comply directly with many of HIPAA's Security Rules. This will require every business associate to take several actions, including appointing a security official, developing written policies and procedures, and training its workforce on how to protect electronic protected health information (“EPHI”). These provisions go well beyond the previous requirements for business associates, where business associates only had to comply with the written business associate agreement.
Business associates also will need to follow HIPAA’s Security Rules relating to physical safeguards (such as locking computers that contain EPHI), technical safeguards (such as encrypting emails) and the requirement to adopt written policies and procedures. Failing to do so will – for the first time – subject a business associate to civil monetary penalties and criminal penalties for each notification (and, as discussed below, the civil monetary penalties are now increased).
New Security Breach Rules. Under current law, the breach of the privacy or security of protected health information (“PHI”) often does not require significant action by a covered entity or business associate. This changes under the Act. Now, a covered entity or business associate that has a specified security breach will be required to notify each individual affected by the security breach. This can involve written notification by mail or, if specified by preference by the individual, email. If the covered entity or business associate lacks current contact information, it may be required to post notice of the breach on its website or in newspapers or other broadcast media (e.g., television). For certain large breaches (involving more than 500 residents in a particular area) a "prominent media outlet” must be notified of the breach. The U.S. Department of Health and Human Services (“HHS”) also must be contacted, and HHS is to establish a website listing these breaches. There is an exception for certain unintentional breaches.
|
|
|
ETA Members Only |
Login here to access your member information, membership status and member-only content.
|
|
Upcoming Events |
|
Compliance Day April 13, 2010 Mandalay Bay Resort & Casino Las Vegas, NV
Investment Community Forum April 13, 2010 Mandalay Bay Resort & Casino Las Vegas, NV Prepaid Day
April 13, 2010 Mandalay Bay Resort & Casino Las Vegas, NV 2010 ETA Annual
Meeting & Expo
April 13-15, 2010 Mandalay Bay Resort & Casino Las Vegas, NV Strategic Leadership Forum: The Future of Payments, Today October 26-28, 2010 The Breakers Palm Beach, FL |
|
|
Tel: 202.828.2635
