Thank you for sharing!

Your article was successfully shared with the contacts you provided.
If you think the recent Health Insurance Portability and Accountability Act of 1996 regulations only apply to health care providers, health plans and insurance companies — “covered entities” — keep reading. First of all, the definition of health plans includes many employers who collect or otherwise access personal health information to provide employee benefits. In addition, HIPAA standards for electronic transactions and privacy also apply to any business that works with a covered entity and, as a result, receives protected health information. The regulations require “business associates” who have relationships with these covered entities to enter into special contracts with specifically mandated provisions. HIPAA’s standards for electronic transactions are intended to create efficiency and effectiveness for electronic transmission of health information. HIPAA privacy standards are designed to protect and enhance the rights of individuals by providing them with notice, choice, access and security regarding their health information and to prevent the inappropriate use of protected health information by the many entities that have access to such information. WHO IS A BUSINESS ASSOCIATE? A business associate is a person who or entity that, in the course of performing a function or activity on behalf of a covered entity, receives protected health information from that covered entity. Business associates include people who and entities that provide services to or for a covered entity including legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, technology or financial. WHEN MUST A BUSINESS ASSOCIATE COMPLY? Business associates must comply with the standards for electronic transaction regulations no later than Oct. 16, 2002, and with the privacy regulations no later than April 14, 2003. WHAT IS PROTECTED HEALTH INFORMATION? HIPAA defines protected health information as oral or recorded individually identifiable health information which relates to the following: � a person’s past, present or future health; � the provision of health care to an individual; or � past, present or future payment for the provision of health care to an individual; and � that either identifies the individual; or � for which there is a reasonable basis to believe the information can be used to identify the individual. If, in the course of its business, a business associate receives health information from a business partner, the associate must ask these questions: Does this information identify the individual to whom it pertains? If no, could the information somehow be used to identify the individual? If there is a “reasonable basis” to believe the information can be used to identify an individual, it is likely protected health information and will be subject to the HIPAA privacy rule and its specific requirements. COVERED ENTITIES What is the HIPAA privacy rule? Under HIPAA, a covered entity and its business associates cannot access, use or disclose protected health information without a HIPAA-compliant consent or authorization from the individual, unless the access and use of the information falls under a specific exemption in the regulations. (Covered entities, of course, are subject to additional, more extensive requirements.) WHAT MUST A BUSINESS ASSOCIATE DO TO COMPLY? To comply with HIPAA, business associates who receive protected health information in the course of providing services to covered entities must enter into special contracts with covered entities. These contracts will place significant restrictions on the manner in which business associates may use protected health information. The contracts also require business associates to allow individuals to access and amend their protected health information. Specifically, such contracts must provide that the business associate will: � not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; � use appropriate safeguards to prevent use or disclosure of the protected health information other than as provided for by its contract; � report to the covered entity any use or disclosure of the protected health information not provided for by its contract of which it becomes aware; � ensure that any agents, including a subcontractor, to whom it provides protected health information received from, or created or received by the business associate on behalf of, the covered entity agrees to the same restrictions and conditions that apply to the business associate with respect to such information; � provide an individual a right of access to inspect and obtain a copy of protected health information about the individual; � amend protected health information as individuals appropriately request; � make available to individuals an accounting of disclosures of protected health information; and � make its internal practices, books and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity available to the secretary of health and human services for purposes of determining the covered entity’s compliance with the statute. WHAT ARE THE STANDARDS FOR ELECTRONIC TRANSACTIONS? In addition to the privacy regulations, the regulations for electronic transactions require business associates, when transmitting health, administrative or financial information in an electronic format, to standardize the manner in which they transmit such information. Currently, hundreds of different formats are used in exchanging health data electronically. Under the HIPAA regulations, certain exchanges of health information must be sent according to a prescribed standard. Although a business associate is not a covered entity, HIPAA states that a covered entity may not avoid complying with the requirements by hiring a business associate. If the exchange of information is one for which a standard has been identified and if the parties on either side of the transaction are covered entities, or a business associate engaged by a covered entity, then the electronic transaction regulations may apply to the exchange of information and the covered entity will need to comply with the standards set forth in the regulations. It will be the responsibility of the covered entity to ensure that the business associate complies with HIPAA. POSSIBLE PENALTIES Complying with the privacy requirements means that business associates need to evaluate the manner in which they receive, use and disclose protected health information. To comply with the business associate contracts, business associates must ensure that their employees are informed and prepared to comply with HIPAA. Additionally, business associates need to review their infrastructure to ensure that they can maintain the security of protected health information. Because of the impact of these regulations, business associates should begin to do the following now: � appoint a privacy officer or privacy team who can oversee and administer compliance (not mandatory, but advisable for business associates); � assess the manner in which an organization currently collects, uses and discloses protected health information; � review and revise all contracts with covered entities; � review and revise employee and administrative policies for compliance; and � educate and train employees early (not mandatory for business associates, but will ease compliance). A business associate who does not comply with the HIPAA contractual provisions may be subject to private suits under a variety of privacy causes of action. If a covered entity knows that a business associate materially breached or violated the business associate contract, the covered entity has to take certain steps to ensure compliance with the contract or face liability under HIPAA for its business associate’s breaches. Sanctions include fines and criminal penalties for knowing violations. Tim Watson is a partner at Seyfarth Shaw, www.seyfarth.com, in Houston, and Anamaria Cashman is an associate with the Chicago office.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.