Proposed HIPAA Changes Impact Independent Contractors
The Office of Civil Rights (OCR) released their proposed changes to the HIPAA regulations this week. For the medical transcription industry, perhaps the most significant change is a clarification that all subcontractors will also now be considered business associates. What this means for the independent contractor is that you are now responsible for everything in the HIPAA regulations the same as a covered entity or a business associate.
The change is an attempt to assure that protected health information is protected “downstream,” by everyone who has access to it. It will hold independent contractors equally accountable and liable under the law.
This is significant in our industry. Before this proposed change, independent contractors were certainly responsible for protecting the information, however, they were not required to do all of the things listed in the rules. With this change, it appears even an independent contractor who works for a service will have to be able to show documentation that they are compliant. Subcontractors will also have to have a written business associate agreement with their clients, who are business associates to the covered entity.
The document outlining the proposed changes is 234 pages long and lots to read. You can find the beginning of discussion about the changes at the HIPAA4MT website. As I read through more of it (for the second, third, or fourth time), I will also be posting updates there.
The changes are proposed for now, and will be published in the Federal Register on July 14. That will open the 60 day public comment period.
The OCR estimates there are 1,500,000 business associates who will need to spend one hour of legal time in redoing their business associate agreements with their customers. They are not aware of how many subcontractors those business associates have. Business associates will have to have a business associate agreement with each subcontractor they have, and I imagine in our industry that means a lot of man hours to get compliant with these changes.
If you are an independent contractor, it would be wise to start thinking now of how this impacts your business and what you can do to meet the new requirements. I hope this post will spur some discussion here from all of you!
Related posts:
- HIPAA and HITECH: What’s a Medical Transcriptionist to do?
- HIPAA and the HITECH Act: Are you Ready?
- How do the Proposed AHDI Changes Impact You?
- HIPAA Book Update
- HHS Seeking Information on Disclosures
Tagged with: do you have a privacy and security officer • HIPAA • HIPAA compliance • HIPAA privacy rule • HIPAA Security rule • HITECH Act • medical transcription goals
Filed under: Challenges in Medical Transcription • HIPAA
Like this post? Subscribe to my RSS feed and get loads more!
Other than a new “agreement” between myself and the company/companies I contract with, what will the changes mean to me? I suppose I will have to put a lock on my office door and get a locking file cabinet, although I do not keep anything here that has confidential patient information on it. I’m really not sure how this has a real “physical” impact on me, and so far nobody has truly explained this to me. I mean, is everything just theoretical? I don’t get it.
[Reply]
Kathy Reply:
July 10th, 2010 at 3:04 pm
I think it will mean more than that. It will mean you have to have written policies and procedures, will have to do a risk analysis of your set up, will need to have an identified privacy and security officer. I am headed out this afternoon but we will be covering a lot more on this going forward and I definitely suggest the HIPAA4MT site so you can follow things there. If you don’t sign up there, you can always see on this site when new information is posted as I use Twitter and all of my “tweets” are posted on the right hand side of this website.
[Reply]
When you refer to client, do you mean the hospital or doctors office, or are you referring to the MT company that one is an independent contractor for?
[Reply]
Kathy Reply:
July 10th, 2010 at 3:02 pm
Carla, it depends on who your contract is with. If you contract directly with the healthcare provider (doctor or hospital), then you are a business associate and it all applies anyway with the passing of the HITECH Act. If you are an IC for a medical transcription service, then you fit the definition in the rules of a subcontractor. The rule, if the proposed changes are passed, says that you are a “business associate” of the business associate (the MT service), and that you must comply with all of the rules as if you were a covered entity. Hope that helps.
[Reply]
Kathy:
If that last response was for me, I’ve got a lot of work ahead of me and could hopefully find some samples of the types of documentation you are talking about. Personally, I think it’s ridiculous, but I guess I’ll have to do whatever the law says I have to do.
[Reply]
Kathy Reply:
July 10th, 2010 at 9:12 pm
Sherry, it was indeed. Don’t sweat it too much just yet. Through this site and the HIPAA4MT site, we will get it figured out. I’m still going through the proposed changes to be sure I have a clear understanding of how it will all work. Then we’ll get the right resources together.
[Reply]
The clinics I work directly for have already taken care of this for us. All signed, sealed, and delivered. Just one more government control. HIPAA is the biggest money waster, time waster and just plain asinine thing that was ever passed. EVERY doctor I visit agrees with this, but they are being forced to do it. It’s nuts. But my clinics are way ahead of the game and our hindsides are covered on this one.
[Reply]
Kathy Reply:
July 11th, 2010 at 1:31 pm
You’re lucky, Gwen, although I don’t imagine they are done yet since these new requirements just came out Thursday and haven’t posted to the Federal Register yet. Still if they do it for you, that’s a plus. Not sure I agree that it is unnecessary when you take a look at the pages and pages of reported breaches this year. Prior to that, there was no protection for the patient and no way to address it so it’s not that it didn’t happen, it just got swept under the rug a lot.
[Reply]
I am so glad I am retiring in 10 months!!!
[Reply]
I have not read the entire document, of course; however, this scares me a little bit. I work for a very large hospital that has in-house MTs, a pretty big group of ICs, and then has a contract with an MTSO just for when we get really back logged. It scares me because it sounds as if ICs could become too much trouble to employ. Could this put hospitals in a situation where it is actually easier for them to just go to an MTSO? I have been an employee with a major MTSO and enjoyed all the benefits it provided me, but I much prefer working as an IC. Not only do I make considerably more money (without the benefits though), but I can work when I want to. I am confident that I have the skills, the experience, and the foundation from a good school that would allow me to find a good job if this one should suddenly end, but at the same time I would be truly heartbroken to lose this job. Money aside, I just love the hospital I work for and my supervisor.
Every time a change happens like this there always seems to be a “the sky is falling” mentality among some MTs, but this time should we (the ICs) be worried, in your opinion Kathy? From a business perspective, I don’t know if I would want to deal with all of that extra paperwork.
[Reply]
Kathy Reply:
July 12th, 2010 at 1:56 pm
Sarah, I don’t think ICs will be going away at all. ICs who contract directly with a healthcare provider like a hospital or a doctor’s office already ARE business associates. I think what has happened with the ICs is that they have just chosen to ignore that. As for extra paperwork, it’s really not too tough to develop policies and procedures (and the HIPAA4MT website does offer a bundle of sample policies). If ICs will just put together the things they need (because as an IC, you ARE a business, even if it’s a business of one), then they won’t have problems with their customers. Don’t give up on that status as it is a very viable option!
[Reply]
Interesting that the document appears to have been pulled from the government’s website, or at least cannot be accessed, either from the link that’s available on the government website or any of the links that are repeated all over the web in various articles. I believe I found it here (scroll down a bit and click the PDF or HTML icon for the format of your choice):
http://www.regulations.gov/search/Regs/home.html#documentDetail?R=0900006480b195a0
The PDF version is directly from the Federal Register and for me it’s the easier one to read. Also, notice that this is the site where you can register a public comment if you wish.
I’d also like to offer a couple of observations that might help us keep all of this in perspective.
First, we have good reasons to address issues involving the physical security of our home offices anyway – HIPAA or no HIPAA. After all, our incomes depend on our computers and the other electronic “stuff” in our offices like fax machines, etc., which are the very things that a burglar is most likely to carry off. If we’re honest, we have to admit that a lot of us have been very remiss in this area, basically just ignoring the realities and hoping that we won’t be burgled. As someone once said, though, “Hope is not a strategy”.
Second (and I realize this is getting a little psychological), I think it does make a difference if we can try not to think about these things in terms of “what do we HAVE to do?”, but “what CAN we do to be responsible custodians of this terribly sensitive information?” – in other words, treating these rules as providing the benchmarks we need to be good stewards of our professional trust.
When I think about the awful consequences of a breach of this information, I feel inspired (as opposed to required) to do everything possible to guard this information as a sacred obligation and responsibility. If not for rules such as these, I might well have no idea how to go about meeting that responsibility, and so in a very real sense I welcome the rules as a beacon pointing the way. Perhaps this will help you think about them differently, too.
[Reply]
Kathy Reply:
July 15th, 2010 at 11:53 am
Brian, thanks for joining in the conversation. I think you make great points and it IS about what CAN we do to be responsible custodians. I don’t think MTs have ever not felt responsible for protecting the information we access. I do think any time there are “government regulations,” everyone gets a little nervous about what it means. In the end, thes rules aren’t terribly hard to do, it’s a lot of common sense and a lot of just doing the right thing. Glad you stopped by!
[Reply]