HIPAA Rules Modified
Substantial changes have been proposed by HHS for the
Privacy and Security Rules applicable under HIPAA-HITECH Act provisions. The
proposed rules have been released for public comments on July 8th and will
be the new guidelines for HIPAA Compliance once the rules are finalized.
Some of the salient provisions are given below. This
is a brief statement of the more important changes. Please contact the HIPAA
Compliance Division of Ujvala Consultants Pvt Ltd for more details.
1. A Health Information Organization, E-Prescribing
Gateways or any other person who provides data transmission services
with respect to PHI to a covered entity and that requires routine access
to such protected health information or a person who offers a personal
health record to one or more individuals on behalf of a covered entity,
will henceforth be considered as a Business Associate.
2."Sub contractors" meaning, a person who acts on behalf
of a business associate other than in the capacity of a member of the
workforce of such business associate would also be deemed as a "business
associate". This definition includes any agents who may act without any
3.Exceptions are provided to the need for BA Contracts
when a convered entity discloses PHI to a health care provider concerning
treatment of an individual.
4.Information about individuals who have deceased more
than 50 years would no longer be considered as PHI.
5.Certain aspects of enforcement such as interpreting
determination of "Willful neglect", "Reasonable cause to know" ,"nature and
extent of violation" etc have been clarified.
6.HIPAA Privacy Rules are now directly applicable to
Business Associates also.
7.Business Associate's liability for compliance is tagged
directly to the Act even if the BA agreement is deficient. (Transition
It is interesting to observe that the notification of the
proposal includes an estimation of how much efforts are required by the
industry in compliance.
The proposal will force changes to the number of BPOs who
work in India with PHI. An interesting period is ahead of the industry in
achieving the required transformation. It is also clear that the increased
security compliance requirements will reflect in increased costs and hence
there would be a revision of PHI-BPO prices across the table. In this
context we need to appreciate the vision of the US regulators who
incorporated subsidy of US $17.2 billion at the medical practitioner's level
which is likely to percolate to downstream industries and cover part or
whole of the increased costs.
There are number of lessons in the HIPAA regulatory
process which Indian regulators may also learn and use in the implementation
of compliance of ITA 2008.