As we have discussed with the recent rules that were published, independent contractors are now subject to the rules of a business associate, no matter whether they contract directly with the covered entity or not. That brings some challenges for everyone as those who are subcontractors try to do what they need to do to be compliant.

As someone who has been there as an IC and knows what the struggles can be, I’ve been thinking how to best address this in a way that would be helpful. There are a lot of products out there to select from, and the prices range from $200 to $4,000. I don’t know too many independent contractors who could do that.

If you are a subcontractor, you should now have your own set of policies and procedures to show that you are compliant. In an effort to assist those of you who are independent contractors, we are now making the set of sample policies and procedures available to independent contractors, or those who are classified as a subcontractor, for a greatly reduced price. The policies, which normally are priced at $200, are now available to the independent contractor for a price of $60. This does not apply to a business owner who has a business with employees or subcontractors, and is some just for the sole proprietor who contracts from someone else. This does not include the training that is offered, only the set of policies.

You might ask, “but how you know?” Isn’t it possible that business will take advantage of this? Sure it is. Still, I believe that people in general operate with honesty and integrity. It’s the cornerstone to my businesses and I anticipate that others will do the same. For me, it’s just that simple.

If you would like to order a set of these policies, please email me, put “IC Policies and Procedures” in the subject line, and I will send you the discount code to use. This offer will be available through August 15, 2010.

UPDATE: There is a problem with the links for the training page. You can find information on available HIPAA Training at the training page on the website.

The Office of Civil Rights has published the new Notice of Proposed Rule Making (NPRM) related to the changes in the HIPAA Privacy and Security rules impacted by the HITECH Act. You can read the proposed rule here:

OCR Proposes New Rule

The document is 234 pages so it takes awhile to read. On a cursory read of it, here are some of the things that appear to be coming with these changes:

Make the requirements under the privacy and security rules apply to business associates just as they presently apply to covered entities.

The definition of a business associate has been modified to include subcontractors. This will be a big impact for the medical transcription industry as it will now require independent contractors who work for medical transcription services to classify themselves as a business associate, with all of the responsibilities that go with that. It clearly defines that a subcontractor, or independent contractor, will be a business associate of the business associate. Under the proposed rule, patient safety organizations now are defined as business associates.

It will require business associates obtain "satisfactory assurances" from subcontractors that they will comply with applicable requirements of the privacy and security rules. Existing contracts between business associates and subcontractors can be grandfathered for up to one year beyond the rule's compliance date. OCR estimates 1.5 million business associates may have to bring subcontractors into compliance.

Requires notice of privacy practices to include a description of the uses and disclosures of protected health information that require an authorization.

Enable individuals to request restriction of disclosures of PHI, unless otherwise required by law, if the restriction applies solely to a service fully paid out-of-pocket.

Strengthen the right of individuals to obtain their electronic health records.

Cost of Implementation

With any proposed rule making, there is a requirement that there be a cost analysis. I find this fascinating as it requires a real understanding of the industry and a lot of "guesstimates" about what will be required. The biggest costs have been identified as covered entities making new Notices of Privacy Practices, which must be rewritten and distributed to patients, and the cost of amending business associate agreements and/or writing new agreements between a business associate and their subcontractors.

The cost of redoing the notice of privacy practices is estimated at $166.1 million. The report estimates that 71% of this cost will be in the private sector and the other 29% in the government or public sector. While that sounds extremely costly and impossible to grasp, the report goes on to break the cost down per covered entity, with an estimate of $168 per covered entity. When viewed individually, it does not seem unreasonable.

It's important to note that the OCR does not have information on the cost of redoing contracts for business associates as they do not have the supporting data. While there is an estimate of 1,500,000 total business associates, no one really knows how many subcontractors each may have. That makes providing a cost estimate on this portion of the change something they are seeking information on.

How Long Will Compliance Take?

The OCR has prepared an estimated annualized burden table, which indicates what portion of the rules is referenced, the type of respondent, the number of respondents, average number of responses per respondent, average burden hours per response, and total burden hours.

This report estimates that there are 1,500,000 business associates, and allocates one hour per business associate to cover legal review of their revised business associate contract. That accounts for 1,500,000 hours of time spent to get this done. The estimated number of hours for revision of the Notice of Privacy Practices is 233,833, for an estimated 701,500 respondents. The time estimated to disseminate the new Notice of Privacy Practices for 200,000,000 patients is one hour per 100 patients, adding up to 2,000,000 hours. That makes the total estimated time 3,733,833 hours! Just in case you're wondering, that equals 155,576 days, 31,115 weeks (based on a 5-day work week), or 598 years! Thankfully all of this isn't being done by one person!

The OCR is proposing that an additional 12 months be given for full compliance, in addition to the six months they are currently allowed to give. This would give a total of 18 months for compliance with portions of the proposed rule.

Here's my question. Does this change your plans for implementation? How do you foresee that these changes will impact your business?

One of the biggest challenges for many of us is doing the required risk analysis that is in the HIPAA Security Rule. The industry has struggled with how to conduct this, what to cover, and how to document it. This past week the Office of Civil Rights has issues a draft guidance document about the risk analysis required by the security rule.

The document is titled "HIPAA Security Standards: Guidance on Risk Analysis" and should be reviewed if you still have not conducted your risk analysis.

The OCR is tasked with issuing annual guidance related to the security rule. Following these guidelines as they are issued will help you stay on top of what you should be doing to be compliant.

Have you conducted your risk analysis? If not, now is the time!

HIPAA compliance requirements have been greatly changed with the American Recovery and Reinvestment Act (ARRA) and its Title XIII called the HITECH (Health Information Technology for Economic and Clinical Health) Act. With the introduction of this new law, business associates are now accountable for the privacy and security requirements that previously were required only by covered entities. In addition, a business associate is now subject to civil and criminal penalties. This also includes a provision that lets patients receive financial compensation for a violation of their privacy.

This new federal law has added strength to the enforcement portion of the law. The significant changes include:

• Employees and other workforce members, including independent contractors, are now subject to civil penalties. This means that individuals are also now accountable legally.
• There is a requirement for HHS to formally investigate any complaints and to impose civil penalties for violations of the rules if the violation is due to "willful" neglect.
• The law requires that any civil monetary penalties or monetary settlements as a result of a violation of the rules be sent to the Office of Civil Rights (OCR) for enforcement of the privacy and security rules.
• Civil monetary penalties now have a tiered system ranging from $100 to $50,000 depending on the offense.
• The Secretary of HHS is required to conduct periodic audits to be sure that covered entities and business associates are compliant with the new rules.
• The State Attorneys General now have the authority to bring suit in district courts for any violation on behalf of the residents of their state.

What Steps Should a Business Associate Take to be sure you are Compliant?

The first step is being sure you are properly classified. For example, if you are an independent contractor working for a service and not directly contracting with a covered entity, that probably means you are not a business associate, but an agent or subcontractor of a business associate. It is important, however, for independent contractors to understand if your contract is directly with the covered entity, that makes you a business associate and all of the new laws do apply to you.

Some things you need to consider include:

• Assigning responsibility for compliance to one person. While you can have a team working on compliance issues, one person must be named as the compliance officer and be responsible. This does not have to be an employee and you can use a consultant if that works best for you, however, it is critical that you have this person identified.
• Encryption of all electronic files. The HITECH Act has made the use of encryption the one thing that provides a "safe harbour" for not having a breach. Data that is not encrypted is considered unsecured according to the law. While you may already be using encryption for data transfers, this law also requires that information be encrypted while "at rest." This may require that you add encryption to all electronic files that are stored anywhere on your system. If you are in medical transcription, remember that this will also include the voice files stored on any dictation system. The Secretary of HHS will review these standards annually for any changes.
• Breach notifications. While HIPAA has always required that a business associate notify their client of any breaches of  information, the law now makes you responsible for being sure the notification is done. A breach is defined as acquisition, access, use or disclosure of unsecured PHI that is not permitted under HIPAA and that compromises the privacy or security of the information. Remember that unsecured data means unencrypted. Documentation of breech notifications must be kept for six years.
• Be sure you are compliant with both the privacy and security rules. There are many points to consider in these rules. You must have written policies and procedures. You must have a written risk analysis done. You also must have a contingency plan in place for any kind of business disruption. Your systems also have to provide audit trails for who accesses protected health information.
• Realize you are responsible for the actions of your workforce. The rules require training of the workforce, which must be done and documented. If you have remote workers, this can be more of a challenge, but it is possible.
• Another significant change is that business associates are now responsible for trying to stop any violations by the covered entity (their client). This includes things even up to canceling your contract with a client who refuses to fix a violation or prefers to ignore the law. Both parties are responsible for doing this for the other, and this could very well change some of the relationships you currently have with your clients.
• Documentation. Remember, it's all about being sure you have things documented. Use the rule of thumb that says "if it's not documented, it wasn't done." It is no longer acceptable to just say you are compliant. You must have written documentation to show that you have done all of the required steps.

The changes that have come as a result of the HITECH Act certainly have a big impact on business associates. The date for compliance is past. If you haven't taken the required steps, now is the time to do it.

That question is one I hear a lot recently. What's all the fuss about? Why do I need to pay attention to all of these new "rules"? Isn't it just a way for someone to make money?

With the passing of the HITECH Act, the HIPAA rules and regulations have undergone some big changes. Things that previously could be overlooked can no longer be ignored. Business associates are now required to implement the things in the security rule and much of the privacy rule. Even something as simple as not having written policies and procedures will mean you are not compliant.

"It won't happen to me." So many people seem to be thinking that, while they understand there are new rules, it really doesn't apply to them because their business is so small it just won't matter. And so, like the ostrich with their head in the sand, we move along thinking that as long as we don't address it, no one will see we're out there.

While it may seem daunting, being compliant really isn't that tough. There are a lot of simple things you can do to assure that you have taken the necessary steps. And having that written documentation that shows you're making a good faith effort will go a long way if you do happen to be one who gets audited. There are now required random audits and nothing in those rules says just go after big organizations. Protection of patient privacy applies to everyone, no matter how big or small you are.

We are already seeing the changes of the new laws. HHS has already posted the first group of breaches on their website. And by the way, it's not just healthcare organizations. Where it applies, each business associate involved is also listed. That sure isn't a way to get good publicity for your business.

What about you? What's stopping you from taking the steps toward compliance?