Business Associate’s Agreements between Covered Entities and Business Associates Click here to purchase a standard Business Associate’s Agreement in compliance with 45 C.F.R. section 164.314(a).
Need help reviewing your existing technology policies to ensure compliance with HIPAA? Click here to schedule time to talk with an attorney to review your existing technology policies and procedures for HIPAA compliance.
Need help reviewing an existing document? Click here to upload your document and request an attorney’s review of the document, with comments and recommendations, for a reasonable fee.
A Brief History of HIPAA, ARRA and HiTech
A brief history lesson on HIPAA, ARRA and HiTech:
- In 1996, HIPAA empowered the Secretary of Health and Human Services (HHS) to issue regulations that would address the privacy and security of health data.
- In 1998, HHS issued its first draft of the regulations implementing administrative, technical and physical safeguard requirements for electronic protected health information.
- In 2003, HHS issued its final security regulations, which gave about two years for covered entities to come into compliance.
- In 2005, HHS promulgated enforcement regulations, giving CMS authority to audit covered entities for security regulations compliance.
- In 2009, ARRA expanded applicability of the security regulations to business associates of covered entities.
- At the end of 2009, HHS issued draft regulations to define “meaningful use” within the context of ARRA. Among the proposed requirements for Stage 1 of meaningful use is compliance with the security regulations, specifically performing a risk assessment as required within section 164.308(a)(1) of the security regulations, and implement appropriate mitigations. This requirement under meaningful use is in the draft regulations at section 495.6(c)(17).
- Stage 1 meaningful use requirements became a final rule in 2010. Drafts of Stage 2 and Stage 3 meaningful use are now on the drawing board.
- Starting in 2011, providers become eligible for receiving incentive payments under the Medicare or Medicaid program for those that can demonstrate they are “meaningful EHR users” of a certified electronic health records system.
- In future years, providers must continue to demonstrate that they are meaningful EHR users as that phrase is defined in section 495.6 in future, final rules.
- For Medicare providers that have not adopted a certified EHR by 2015, Medicare will start to reduce base compensation as a penalty for not adopting EHR.
HHS is then supposed to issue regulations that define Stage 2 and Stage 3 “meaningful use,” beyond the basics (and likely in addition to) the final requirements for Stage 1 compliance. Providers will need to be able to demonstrate compliance with these additional requirements to receive further incentive payments under ARRA.