Buried within the huge American Recovery and Reinvestment Act (a.k.a, the “Stimulus Bill”) are a few changes to HIPAA’s Privacy and Security Rules, increasing the scope of coverage to include Business Associates. This means data security providers, contractors, and partners can be directly fined for informational security breaches that occur on their watch. The bill also increases the penalties for some of the violations.
Previously, Business Associates were required to comply only with a written business associate agreement. Now Business Associates are subject to many of the same requirements hospitals and medical providers are. They will be required to appoint a security official, develop written policies and procedures pertaining to data leakage, and training its workforce in electronic data protection.
In addition, breach notification requirements were increased. If a breach occurs, the specific business entity that has the breach will be required to notify every individual affected by the security breach. If current contact information is not available, the entity may be required to post notification on their website or in some other broadcast medium (television, newspapers). The bill also provides for the creation of a website by the Health and Human Services department to list information about these breaches.