As most people are aware based upon significant media treatment,
the Security and Privacy Regulations relating to the Health Insurance
Portability and Accountability Act (“HIPAA”) became
final on AIR 14, 2000. (The Regulations have a delayed effective
date to AIR 14, 2003, for most covered entities and until AIR
14, 2004, for small health plans. 45 CFR § 164.534.) Those
Regulations are directed at three types of “covered”
entities: Health Plans, Health Care Provider and Health Care Clearinghouses.
45 CFR § 160.102.
The Regulations arguably reach well beyond these three covered
entities through a concept embedded in the regulations relating
to “business associates.” 45 CFR § 164.504. The
definition of “business associate” within the HIPAA
Regulations is lengthy and is found at 45 CFR § 160.103.
Most covered entities will have a significant number of business
associates. For a health care provider, the following would likely
be business associates:
Lawyers
Accountants
Medical Transcriptionists
Collection Agencies
Records Copying Firms
For Health Plans, the following would likely be business associates:
Third Party Administrators
Utilization Management Firms
Preferred Provider Organizations
Lawyers
Accountants
The Regulations require that covered entities execute written
agreements with all of their business associates. 45 CFR §
164.504. Further, those written agreements must contain the following
provisions:
· Language that restricts the use or further disclosure
of the information other than as permitted by the contract or
as required by law.
· Language that requires the business associate to use
appropriate safeguards to prevent the use or disclosure of protected
health information (“PHI”) other than as provided for
by its contract. (Protected Health Information or “PHI”
is a defined term within the Regulations. It encompasses a wide
variety of individually identifiable health information and replaces
the more generic industry term of “medical records.”)
· Language that requires the business associate to report
to covered entities any use or disclosure of PHI not provided
for by the contract of which they become aware.
· Language that requires the business associate to ensure
that any agents, including subcontractors, to whom PHI is disclosed
by the business associate on behalf of a covered entity agrees
to the same restrictions and conditions that apply to the business
associate with respect to PHI.
· Language that requires the business associate to make
available PHI in accordance with HIPAA.
· Language that requires the business associate to make
available the information required to provide an accounting of
disclosures in accordance with HIPAA.
· Language that requires the business associate to make
its internal practices, books, and records relating to the use
and disclosure of PHI received from, or created or received by
the business associate available to the secretary of health and
human services for purposes of determining compliance.
· Language that requires the business associate, upon termination
of the contract, to return or destroy PHI and return no copies.
45 CFR § 164.501(e)(1),(2).
Once a covered entity has entered into a written agreement with
a business associate, that agreement must be monitored for compliance.
It is important to note that the covered entity will be responsible
(in terms of civil penalties under HIPAA) for the acts and omissions
of its business associate. Thus, there is significant regulatory
incentive for covered entities to monitor the activities of their
business associates.
As you can determine from the foregoing, the reach of the HIPAA
Security and Privacy Regulations is significantly broadened via
the treatment of business associates. While the Regulations do
not expressly allow for civil penal- ties and other administrative
enforcement actions against business associates, it is clear that
acts or omissions of business associates may be imputed to the
covered entities with which they deal.
Thus, representation of covered entities in connection with HIPAA
compliance will necessarily require an analysis of business associates
of those covered entities. Additionally, written agreements will
need to be executed and monitored for such business associates
in order to ensure compliance with HIPAA. Conversely, representation
of business associates will require the creation and review of
HIPAA agreements to ensure that the responsibilities and liabilities
assumed are not greater than HIPAA requires.
As of the publication date of this article, the United States
Secretary of Health and Human Services has announced that model
provisions for business associate agreements will be included
in modifications to the regulations. Thus, the preceding requirements
may change or be standardized once the modifications to the regulations
are issued by HHS.
Kathy A. Steadman – Hennelly & Steadman PLC (602) 230-7000;
kas@hslaw-az.com
TIPS
LEGAL DISCLAIMER --
The materials at this site,
including the links to other Web sites, have been provided by
the Tort & Insurance Practice Section of the American Bar
Association for informational purposes only and do not constitute
legal advice, the practice of law, or the endorsement of the content
provided by any linked site. Use of this site does not create
or constitute, in any way, an attorney-client relationship between
the ABA, TIPS, their entities, or any individual members and the
viewer of this site. Neither does the ABA, TIPS, their entities,
nor any of their members assume any responsibility for any misinterpretation
or misapplication of the information contained on this site by
the viewer, or of the content of any Web sites linked to this
site. Points of view or opinions at this site do not necessarily
represent the official policies or positions of the ABA, TIPS,
or any of its entities or members. Users of this site should not
act upon any information received without seeking the advice of
professional legal counsel
