EHR Authors and Value Added Resellers (VARs) will soon have their own HIPAA obligations. At present, EHR Authors and VARs are contractually obligated by the terms of any HIPAA Business Associate Agreements (BAAs) they have signed. Soon, EHR Authors and VARs (and all other types of Business Associates) will be directly regulated by HIPAA. This means that they will be subject to Civil Monetary Penalties up to $50,000 per incident and up to $1.5 million for identical violations in 1 year.
Based on draft rules published on July 14, 2010, the new HIPAA rules explicitly define Business Associate obligations, which are a subset of the obligations of “covered entities”. This subset includes
- the entire HIPAA Security Regulation
- the “minimum necessary” provision of the HIPAA Privacy Regulation
- the prohibition from any use or disclosure of Protected Health Information (PHI) that would be a violation for a covered entity to use or disclose
- the obligation to put subcontractors who use PHI under a HIPAA Business Associate contract. (The draft regulation clarifies that these subcontractors are also “Business Associates”.)
The HIPAA obligation for EHR authors and VARs is created by their activities and services through which their employees are exposed to the PHI of their clients. Examples of these services include on-site support, remote support that includes access PHI, training, data conversions, operation of hosted data centers, on-line backup services, operation of patient access portals, value-added services like off-site document scanning and other VAR services.
Because EHR Author and VAR operations are vastly different than the health providers they serve, the compliance obligations are also different. Consequently, “off-the-shelf” HIPAA manuals used by physicians and hospitals will be insufficient.
While HHS was directed by the HITECH Act to write these rules by February 17 of 2010, the draft rules have not yet been finalized. When will they be released? Who knows! However, HHS has indicated their intent to provide a 6 month grace period once the final rules are published. Proactive EHR authors and VARs are advised to prepare early for these new obligations.
