While I was relaxing I took the time to research the effect of the ARRA signed into effect Feb.17 by President
Obama on medical collections.
While it is too soon to see any actual cases filed, I believe a new and very important tool for credit repair
on medical accounts has been provided within this legislation.
I have made changes to the HIPAA letter program on ALL letters and downloaded them this afternoon.
The basic change is summed up and links provided here;
Business associates will now be directly subject to HIPAA and will be subject to HIPAA's civil and criminal penalties.
Business associates are entities who create, use or disclose protected health information on behalf of covered entities
(such as TPAs of group health plans, collection agencies, accounting firms, auditors, law firms, billing
services, transcriptionists, etc.).
Prior to ARRA, business associates were only indirectly regulated by HIPAA through the business associate contract and
only had contractual liability to the covered entity for privacy and/or security breaches. Under ARRA, business associates
will need to implement most of HIPAA's security requirements and many of HIPAA's privacy requirements. Business associates
will need to appoint a security officer, conduct a HIPAA risk analysis, develop written policies and procedures and train
employees as to HIPAA's requirements.
Further, business associates will now have a statutory duty to comply with all the terms of their business associate contracts. Therefore, business associates will need to implement HIPAA privacy and security compliance programs to ensure that protected health information is used and disclosed in accordance with the business associate contracts. This is a drastic change for business associates which will require a significant amount of effort to become compliant. The effective date for these changes to the business associate rules is February 17, 2010.( HOWEVER, THE COMPLIANCE PENALTIES ARE EFFECTIVE FEB. 17, 2009)
HIPAA now has real teeth. Before ARRA, HHS took a soft, voluntary compliance approach to HIPAA and therefore, the dreaded HIPAA police never materialized. This approach will change under ARRA. The maximum annual civil penalty per violation is now $1.5 million
(it had been $25,000 pre-ARRA). State attorneys general now are able to bring suit against a covered entity or business associate who has violated HIPAA to enjoin the wrongful practice and recover damages. HHS now has a statutory duty to investigate complaints, conduct audits and impose penalties. Penalties will be used to fund future HIPAA enforcement initiatives and repay victims of HIPAA violations. These enforcement provisions of HIPAA went into effect on February 17, 2009.
I will be back later or tomorrow to answer PM's and posts.