Although they were toned down from an earlier proposal, the federal government's new medical privacy regulations deputize healthcare providers as the new sheriffs of their business associates.
HHS published the final regulations, which implement the privacy requirements of the Health Insurance Portability and Accountability Act of 1996, in the Dec. 28 Federal Register.
Under the regulations, providers who know of a privacy breach by a business associate are required to report or correct the violation. That's a departure from the proposed regulation, which required providers to actively monitor the compliance activities of their business partners.
Under HIPAA, a business associate is any outside organization that handles confidential health information in the context of providing or administering care. That would include everyone from insurers and employers to disease management companies hired to manage chronic conditions.
"The final regulation is an improvement over the draft," said Donald Palmisano, a member of the American Medical Association board of trustees and a New Orleans surgeon.
"Now physicians have to know about a pattern that endangers patient privacy and wouldn't be liable unless they knew about it and didn't take steps to correct or report it," Palmisano said.
Others agreed that while the spirit of the proposed requirement didn't change, the final requirement isn't quite as demanding.
"The knowledge standard is more reasonable but doesn't let you off the hook," said attorney Melinda Hatton, vice president and chief Washington counsel of the American Hospital Association.
"We're mindful that there are still plenty of litigation minefields out there that the plaintiffs' bar can use . . . but it was a helpful recognition on the part of HHS that there needs to be a cooperative relationship in order to implement this rule," she said.
The business associate provision, with which providers must comply by February 2003, has sparked some concern elsewhere in the industry from those who would be subject to oversight by hospitals and physicians.
"Certainly business partners ought to comply with federal regulations," Charles "Chip" Kahn, president of the Health Insurance Association of America, said in a written statement. The HIAA represents commercial health insurers.
However, he said, "The regulations impose an unfair burden upon health insurers and health plans by requiring them to be responsible for the confidentiality of medical information out of their control."
Under the final business associate provision, providers must sign agreements with each of their business associates that have access to patients' personal health information. That agreement will require the business associate to be as careful as caregivers themselves with any patient data it handles.
Efforts to sign the necessary agreements and develop policies and procedures that keep a tight lid on patient information "will require the diversion of resources from other tasks," said healthcare attorney Mark Lutes of the Washington firm Epstein, Becker & Green.
Another change in the final regulation was in a provision that would have required each business partner agreement to give patients the right to seek damages for a privacy breach committed by their doctor's business associate.
Instead, the provision says that the business associate contract does not need to name patients as third-party beneficiaries.
The third-party beneficiary designation "was a hotly debated provision because it would change the nature of the enforcement from a federal enforcement, which is targeted toward patterns and practices, to individual enforcement, which would be costly (to providers)," Lutes said.