Business associates now liable for breaches

One of the most talked about changes to the HIPAA legislation holds business associates and subcontractors who work with covered entities accountable for the privacy and security of personal health information.

Previously, business associates were liable only if they signed a business associate agreement with a covered entity. Several new entities are considered business associates under the new rule, including health information exchanges, personal health record vendors and cloud service providers.

"In terms of costs for compliance, business associates are going to have a heavier lift," Marcy Wilder, director of the global privacy and information management practice for Washington, D.C.-based law firm Hogan Lovells and prior Deputy General Counsel for HHS, told FierceHealthIT in an interview for this special report on new provisions in the HIPAA law.

Donna Staton, FierceHealthIT Editorial Advisory Board member and CIO at Warrenton, Va.-based Fauquier Health, told FierceHealthIT shortly after the rule was announced that although she is happy to see the increased scrutiny, she wonders how it might impact HIEs and efforts such as population health management, going forward.

Wilder, though, thinks that HIEs and other such health-oriented entities aren't likely to be too apprehensive about the new provision.

"For businesses and entities whose core purpose is health or providing support services to providers and plans, they are aware of the rules and will be making additional efforts in terms of compliance," Wilder said.

Additionally, Wilder said she doesn't see vendors who offer healthcare products but do not consider healthcare a core business being scared off, either.

"I don't know yet that the fact that there are new compliance obligations outweighs the business opportunities that exist," she said. "There's certainly going to be a cost associated with moving into or staying in the healthcare sector, but on the other hand, it is very pertinent when you're operating in any sector to be aware of your privacy obligations and to do what's necessary and appropriate."

Business associates now liable for breaches