Less than one month to go: Business Associates must comply with the HIPAA Security Rule no later than Wednesday, February 17, 2010. Here are relevant provisions from the American Recovery and Reinvestment Act, Public Law 111-5, which included HITECH Act Subtitle D: Privacy.
42 USC 17931 (PART 1–IMPROVED PRIVACY PROVISIONS AND SECURITY PROVISIONS, Section 13401: Application of Security Provisions and Penalties to Business Associates of Covered Entities; Annual Guidance on Security Provisions).
(a) APPLICATION OF SECURITY PROVISIONS.–Sections 164.308 (Administrative Safeguards), 164.310 (Physical Safeguards), 164.312 (Technical Safeguards), and 164.316 (Policies and Procedures and Documentation Requirements) of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to a covered entity. The additional requirements of this title that relate to security and that are applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.
(b) APPLICATION OF CIVIL AND CRIMINAL PENALTIES.–In the case of a business associate that violates any security provision specified in subsection (a) [above], sections 1176 [General Penalty for Failure to Comply with Requirements and Standards] and 1177 [Wrongful Disclosure of Individually Identifiable Health Information] of the Social Security Act shall apply to the business associate with respect to such violation in the same manner such sections apply to a covered entity that violates such security provision….
42 USC 17953 (Section 13423: EFFECTIVE DATE. Except as otherwise specifically provided, the provisions of part 1 shall take effect on the data that is 12 months after the date of the enactment of this title [which was February 17, 2009].
If you are a covered entity, make sure that your business associates are aware to the upcoming Security Rule safeguards, policies and procedures, and documentation compliance provisions by February 17, 2010, and that your business associate agreement reflects this obligation. [01/18/2010]