On Tuesday, when President Obama signs into law The American Recovery and Reinvestment Act of 2009, better known as the federal economic stimulus package, the world is going to change for a wide range of healthcare technology companies. For the many healthcare companies that are "business associates" of HIPAA covered entities, their legal obligations, and potential liabilities, will dramatically expand.
The Stimulus will include a provision requiring all business associates to comply with the HIPAA security regulations in the same manner that covered entities comply. That means that business associates must perform security risk assessments and adopt written policies and procedures that address the HIPAA Security Rule's administrative, physical and technical safeguards standards. Simply signing a business associate agreement that states that you will "reasonably and appropriately protect" protected health information will no longer be sufficient.
In addition, HIPAA's civil and criminal penalties will now apply to business associates in the same way that they apply to covered entities. These new provisions will become effective one year after the effective date of the Stimulus legislation.
There are many more significant changes to HIPAA included in the Stimulus, but I'll save that for future postings ....