Saturday, March 14, 2009

Attorney Comments: HIPAA Extended To Business Associates

The American Recovery and Reinvestment Act (Recovery Act), signed into law on February 17, 2009, broadens the scope of the Health Insurance Portability and Accountability Act (HIPAA) to impact not only covered entities—including physicians, hospitals and health plans—but also those entities that support the healthcare industry as “business associates,” which include third-party administrators, consultants, service providers and attorneys. Additionally, organizations that provide data transmissions of protected health information (PHI) to covered entities or business associates now will be required to enter into business associate agreements with covered entities.

This means that if your entity is sharing protected health information with other entities, there should be written HIPAA agreements with them. Further, if they release a patient's PHI, they will be subjected to potential civil and criminal fines and penalties.

The Recovery Act extends specific HIPAA regulatory requirements to business associates. Beginning February 17, 2010, the administrative, physical and technical safeguard requirements of the security regulations, as well as the polices, procedures and documentation requirements will apply to business associates. Traditionally, business associates were required by contract to use certain precautions regarding the use and disclosure of PHI, and if a business associate unlawfully disclosed PHI, it only faced a breach of contract claim by the covered entity. Under the Recovery Act, business associates now face civil and criminal fines and penalties for HIPAA violations.

The U.S. Department of Health and Human Services (HHS) is now required to conduct periodic audits to make sure covered entities and business associates are complying with the new privacy and security requirements. Additionally, generally effective immediately, state attorneys general have been granted expanded authority to enforce violations of HIPAA on behalf of the citizens of their respective states.

In light of the HIPAA changes contained in the Recovery Act and the impending regulations, covered entities and business associates should prepare to reevaluate current HIPAA policies, assess levels of access to PHI and prepare to incorporate the required changes into business associate agreements.

Any questions or comments should be directed to: Tracy Green is a principal at Green and Associates. They focus their practice on the representation of professionals, particularly health care professionals including individual physicians, corporate providers and group practices.


DISCLAIMER: Green & Associates' articles and blog postings are prepared as a service to the public and are not intended to grant rights or impose obligations. Nothing in this website should be construed as legal advice. Green & Associates' articles and blog postings may contain references or links to statutes, regulations, or other policy materials. The information provided is only intended to be a general summary. It is not intended to take the place of either the written law or regulations. We encourage readers to review the specific statutes, regulations, and other interpretive materials for a full and accurate statement of their contents and contact their attorney for legal advice. The primary purpose of this website is not the commercial advertisement or promotion of a commercial product or service and this website is not an advertisement or solicitation. Anyone viewing this web site in a state where the web site fails to comply with all laws and ethical rules of that state, should disregard this web site.

The information provided on this website is for informational purposes only. It is not intended to create, and does not create, a lawyer-client relationship with Green & Associates, Attorneys at Law. Sending an e-mail to Tracy Green does not contractually obligate them to represent you as your lawyer, or create any type of client relationship. No attorney-client relationship will be formed absent a written engagement or retainer letter agreement signed by both Green & Associates and client and which specifies the scope of the engagement.

Please note that e-mail transmission is not secure unless it is encrypted. E-mail messages sent to Ms. Green should not include confidential or sensitive information.