Bryan Cave Combines with Berwin Leighton Paisner to Form Bryan Cave Leighton Paisner LLP Learn More

The Health Information Technology for Economic and Clinical Health (“HITECH”) Act modified the Health Insurance Portability and Accountability Act (“HIPAA”) by expanding the definition of Business Associates (“BA”) and their responsibilities and liabilities. A BA is a “person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”1 A BA includes:

  1. Health Information Organizations
  2. E-Prescribing Gateways
  3. Persons/entities that for, or on behalf of, a Covered Entity:
    1. Create or received PHI
    2. Maintain or store PHI even if they do not or can not access the PHI
    3. Offer personal health records
    4. Provide data transmission services if they routinely access the PHI2

Subject to certain exceptions, the HIPAA rules require that covered entities enter into contracts with their BA’s to ensure that the BA’s will appropriately safeguard PHI. [3]  Exceptions to the BA standard includes: (1) disclosures by a covered entity to a health care provider for treatment of the individual; (2) disclosures to a health plan sponsor, provided that the group health plan’s documents have been amended to limit the disclosures; and (3) the collection and sharing of PHI by a health plan that is a public benefits program. [4]  It is important to determine whether a BA contract is required due to the potential for heavy penalties.  In 2016, the U.S. Department of Health and Human Services fined a hospital over $1.5 million when it discovered a six month period during which PHI was transferred to the hospital’s BA without an agreement in place.[5]

The Federal Office for Civil Rights (“OCR”), which enforces HIPAA and HITECH, has identified BAs as one of its top enforcement priorities.  Under HIPAA and HITECH, BAs are directly liable for compliance and subject to the following monetary penalties:

Violation Category

Each Violation

Maximum Penalty per Identical Provision Violated in Calendar Year

Did Not Know

$100 - $50,000

$1,500,000

Reasonable Cause

$1000 - $50,000

$1,500,000

Willful Neglect – Corrected

$10,000 - $50,000

$1,500,000

Willful Neglect – Not Corrected

$50,000

$1,500,000

 

Companies that are considered BAs, or companies that are contracting with a BA, should consider the following checklist when evaluating their compliance with HIPAA and HITECH:

  1. Verify that a Business Associate Agreement is in-place with all service providers that handle PHI.
  2. Designate a security officer.
  3. Perform a Security Risk Assessment.
  4. Implement administrative, physical, and technical safeguards to protect PHI.
  5. Identify and report breaches of security.
  6. Develop policies for HIPAA / HITECH compliance.
  7. Impose disciplinary actions where employees or vendors violate HIPAA / HITECH obligations.
  8. Maintain HIPAA and HITECH relevant documentation for such periods as required by law.

1. U.S. Dep’t of Health & Human Servs., Business Associates, https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html (November 20, 2017).

2. 45 C.F.R. § 160.103(3).

3. 45 C.F.R. § 164.308(b)(1).

4. U.S. Dep’t of Health & Human Servs., Business Associates, https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html (November 30, 2017).

5. HealthITSecurity, $1.5M HIPAA Settlement Fine for North Memorial Health Care (Mar. 17, 2016),  https://healthitsecurity.com/news/1.5m-hipaa-settlement-fine-for-north-memorial-health-care.