Editor’s Note: Thanks to our friends at Mercury Health for their permission to reprint the following item from their website.
Mercury’s Health Insurance Portability and Accountability Act (HIPAA) compliance team offers timely advice about how the new Health Information Technology for Economic and Clinical Health Act (HITECH) raises the ante for compliance by medical tourism facilitators and suppliers that hope to do business with US insurers, employers and consumers.
What You Need to Know
As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. These breaches are now posted in a new, more accessible format that allows users to search and sort the posted breaches. Additionally, this new format includes brief summaries of the breach cases that the Office for Civil Rights (OCR) has investigated and closed, as well as the names of private practice providers who have reported breaches of unsecured protected health information to the Secretary.
**View the Wall of Shame Here**
“Subcontractors” Now Statutorily Obligated to Comply
The burden is on the covered entity to show that there’s a low probability that the information has been compromised. Two changes: First, the focus of the assessment is no longer on the harm to the patient but whether the information has been compromised. Second, the burden of proof is clearly on the covered entity. So if it can’t be determined pretty clearly that there is a low probability the information has been compromised, the covered entity has to treat it as a breach and self report.
“The final rule adopts the proposal to apply the business associate provisions of the HIPAA Rules to subcontractors and thus, provides in the definition of ‘business associate’ that a business associate includes a “subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.”
A medical tourism facilitator that transmits or receives personal health information, or a supplier in another country that executes a business associate addendum with a US insurer, employer or facilitator will now be jointly and severally liable by contract for infractions. They must comply with the rules and cannot claim ignorance as a defense.
Federal civil rights laws and the HIPAA Privacy Rule, together protect US citizens’ fundamental rights of nondiscrimination and health information privacy. Civil Rights help to protect them from unfair treatment or discrimination, because of their race, color, national origin, disability, age, sex (gender), or religion. Federal laws also provide conscience protections for healthcare providers who refuse to perform certain procedures or dispense certain medications on personal moral convictions.
The Privacy Rule protects the privacy of an individual’s health information; it says who can look at and receives one’s health information, and also gives one specific rights over that information. In addition, the Patient Safety Act and Rule establish a voluntary reporting system to enhance the data available to assess and resolve patient safety and healthcare quality issues, and provides confidentiality protections for patient safety concerns.
By enforcing the Privacy and Security Rules, OCR helps to protect the privacy of one’s health information held by health insurers and certain healthcare providers and health insurers. Some of these providers and insurers may include:
- Doctors and nurses
- Hospitals, clinics, and nursing homes
- Health insurance companies
- Health maintenance organizations (HMOs)
- Employer group health plans
- Medical tourism facilitators that arrange healthcare services
- Certain government programs that pay for healthcare, such as Medicare and Medicaid
OCR also enforces the confidentiality provisions of the Patient Safety Act and Rule.