Resources for Business Associates
HITECH Act Expands HIPAA Privacy and Security Rules: On February 17th, President Obama signed the American Recovery and Reinvestment Act of 2009 (the stimulus bill). Within the bill created the Technology for Economic and Clinical Health Act (HITECH). HITECH substantially expands the HIPAA Privacy and Security Rules and increases the penalties for violations of HIPAA.
The Act applies HIPAA privacy and security requirements directly to business associates;
Establish mandatory federal breach reporting requirements for HIPAA covered entities and their business associates; Create new privacy requirements for HIPAA covered entities and their business associates, including new accounting requirements for electronic health records, restrictions on marketing and fundraising, and other developments; and Establish new criminal and civil penalties for noncompliance and new enforcement responsibilities.
HITECH imposes certain requirements on business associates with respect to privacy, security and breach notification and contemplates that such requirements shall be implemented by regulations to be adopted by the Department of Health and Human Services ("HHS").
The provisions of HITECH that apply to business associates and are required to be incorporated by reference in a business associate agreement are hereby incorporated into the existing BAA as of the respective Applicable Effective Dates including, without limitation, 42 U.S.C. Sections 17935(b), (c), (d) & (e), and 17936(a) & (b) .
Notification of Breach. – BA shall notify UMDNJ within twenty-four (24) hours of any suspected or actual breach of security, intrusion or unauthorized use or disclosure of PHI of which BA becomes aware and/or any actual or suspected use or disclosure of data in violation of any applicable federal or state law or regulations by using the “NOTIFICATION TO THE COVERED ENTITY ABOUT A BREACH OF UNSECURED PROTECTED HEALTH INFORMATION” form.