When the HIPAA privacy rule first went into effect, business associates of hospitals, physicians, etc. didn't have to worry about getting in trouble for releasing data in ways that violate patients' privacy.
In light of several years of clumsy handling of patient data by contractors and employees, it's perhaps not surprising that HHS is changing the rules to extend the strict HIPAA privacy rules -- and penalties for violations -- to external vendors and IT communities.
If you work in any way with patients' medical data -- whether as a data processor, consultant, IT contractor, EHR installer, whatever -- you'd better get familiar with the new rule that goes into effect March 26. It clarifies when breaches need to be reported to the Office for Civil Rights, scraps the old standards for the use of patient-identifiable data for marketing and fundraising purposes, and expands direct liability under the law to so-called “business associates” of HIPAA-covered entities.
Perhaps equally interesting is that patients once again will have the right to limit release of treatment records to insurance companies if they paid out-of-pocket on that treatment. Look out for problems and potential fines related to goof-ups related to granting access to the wrong business partners on the wrong data. Greatly increased penalties for privacy and security violations under the ARRA are explained in the new ruling.
Read the HHS news release.
Read the rule in the federal register (you've still got time to comment).