Let's Build a Responsible Cyber Society




HIPAA Rules Modified

Substantial changes have been proposed by HHS for the Privacy and Security Rules applicable under HIPAA-HITECH Act provisions. The proposed rules have been released for public comments on July 8th and will be the new guidelines for HIPAA Compliance once the rules are finalized.

Some of the salient provisions are given below. This is a brief statement of the more important changes. Please contact the HIPAA Compliance Division of Ujvala Consultants Pvt Ltd for more details.

1. A Health Information Organization, E-Prescribing Gateways or any other person who provides data transmission services with respect to PHI to a covered entity and that requires routine access to such protected health information or a person who offers a personal health record to one or more individuals on behalf of a covered entity, will henceforth be considered as a Business Associate.

2."Sub contractors" meaning, a person who acts on behalf of a business associate other than in the capacity of a member of the workforce of such business associate would also be deemed as a "business associate". This definition includes any agents who may act without any written contracts.

3.Exceptions are provided to the need for BA Contracts when a convered entity discloses PHI to a health care provider concerning treatment of an individual.

4.Information about individuals who have deceased more than 50 years would no longer be considered as PHI.

5.Certain aspects of enforcement such as interpreting determination of "Willful neglect", "Reasonable cause to know" ,"nature and extent of violation" etc have been clarified.

6.HIPAA Privacy Rules are now directly applicable to Business Associates also.

7.Business Associate's liability for compliance is tagged directly to the Act even if the BA agreement is deficient. (Transition Rule).

It is interesting to observe that the notification of the proposal includes an estimation of how much efforts are required by the industry in compliance.

The proposal will force changes to the number of BPOs who work in India with PHI. An interesting period is ahead of the industry in achieving the required transformation. It is also clear that the increased security compliance requirements will reflect in increased costs and hence there would be a revision of PHI-BPO prices across the table. In this context we need to appreciate the vision of the US regulators who incorporated subsidy of US $17.2 billion at the medical practitioner's level which is likely to percolate to downstream industries and cover part or whole of the increased costs.

There are number of  lessons in the HIPAA regulatory process which Indian regulators may also learn and use in the implementation of compliance of ITA 2008.


July 11 2010



Comments are Welcome at naavi@vsnl.com