The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996. The purpose or goal of the Act was to require healthcare providers to meet certain baseline standards to protect the privacy and security of patient medical records.

Who does HIPPA cover and what does it cover?

“Covered Entities” –

a) These are the healthcare providers that engage in HIPPA electronic standard transactions – this includes doctors, clinics, psychologists, dentists, chiropractors, nursing homes and pharmacies

b) Health plans –these include entities such as health insurance companies, HMOs, company sponsored health plans and government programs that pay for health care (Medicare, Medicaid), and military and veteran programs

c) Healthcare clearinghouses – these are entities that process non-standard health information they receive from another entity into a standard format.

“Business Associates”

Prior to the passage of final rules in 2013, Business Associates were not directly liable under HIPPA. They were contractually liable to Covered Entities through “Business Associate Agreement.” Business Associates, in turn, were required to hold their subcontractors responsible for the same contractual obligation.

Following the passage of the 2013 rules, Business Associates are now directly liable under HIPPA.

What does this mean for you?

If a law firm, attorney and/or paralegal is performing a function or activity on behalf of, or certain services for a Covered Entity, and it involves the disclosure of Protected Health Information (PHI), that law firm, attorney and/or paralegal may be considered a Business Associate. It is critical to determine where the health information is coming from and on whose behalf you are using that information. If, for example, your law firm requires access to PHI in order to defend a hospital in a medical malpractice case, you would be a Business Association. If the information is requested by the patient/plaintiff in a medical malpractice case and the information came at the request of the individual, your firm would not be a “Business Associate.”

Business Associates must have HIPPA compliant written agreements in place with Covered Entities as well as subcontractor Business Associate Agreements with subcontractors that have access to PHI.

The Business Associate Agreement must provide and the Business Associate or Subcontractor will comply with:

i. The security rules with respect to electronic PHI;

ii. To use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its Business Associate Agreement with the Covered Entity.

iii. Not to disclose or use the PHI other than as permitted by the Business Associate Agreement or as required by law.

iv. To comply with the requirements of the Privacy Rule that applies to the Covered Entity in the performance of such obligations.

v. To make available to the Secretary of the HHS its internal practices, books, records relating to the use and disclosure of PHI for determination of compliance.

vi. To ensure that all subcontractors agree to comply with the same restrictions and conditions that apply to the Business Associate;

vii. To promptly report any security incidents and breaches of unsecured PHI to the Covered Entity.

In our next Newsletter, we will talk about violations, penalties and further Requirements.

More News >>