Revised HIPAA: Who is a “Business Associate”? What Each Business Associate Must Know?

Responding to the ever increasing need for electronic data security, especially with regards to private medical records and information, Congress passed the Health Insurance Portability and Accountability Act, or as it is more commonly known, HIPAA. Designed to prevent potential breaches of patient privacy, HIPAA not only imposes standards as to how data should be transmitted and shared between privileged entities, but also extends the duty of maintaining security to more than just direct care providers. In fact, anyone (even sub-sub-contractors) providing particular services to a covered entity involving “protected health information” (PHI) is known as a “business associate” for the purposes of HIPAA; lawyers, consultants, accountants, billing companies, document management companies—anyone who would have occasion to encounter PHI in the course of their work for a HIPAA-covered entity—is a “business associate” and is not only under the same duty as the aforementioned covered entity to comport itself by the dictates of HIPAA, but must also have a Business Associate Agreement (BAA)—and it’s even possible that soon, Business Associates will be compelled to have BAAs with any subcontractors whose services they engage as well. But who are these “covered entities”?

Under HIPAA, “covered entities” can be health plans, healthcare clearinghouses, and any healthcare provider that, at one point or another, conducts a transaction via an electronic form. Obviously these definitions are very nuanced and technical, and the difference between a covered entity and non-covered entity can be as minute as whether a clinic conducts certain transactions in an electronic form, or whether a group health plan is self-administered—and even these distinctions are, themselves, nuanced. Once a determination is made as to whether a given organization is a covered entity or Business Associate, the next concern that necessarily follows is what sorts of security precautions a covered entity and Business Associate must take to remain HIPAA compliant.

The objective of a HIPAA security policy is to prevent the unauthorized dissemination of PHI, with an emphasis on protecting electronic PHI (ePHI), i.e. computerized PHI; thus, if the PHI was created, sent or received by, or stored in a computer, it’s ePHI. To this end, HIPAA requires the implementation of not only technical safeguards, but physical and administrative ones as well. This can mean the use of tiered passwords to prevent individuals not authorized to work on a given file from being able to view them, but still maintaining access for supervisors, security auditors, and compliance officers; there is also a need to encrypt files and make certain that all transmissions of the same are encrypted as well. Appointment of the above mentioned HIPAA compliance officer is another security measure that must be heeded, given the need to periodically review and update all relevant security measures to match pace with updates to computer and information technology security. Furthermore, breaches to security must typically be reported to Human Health Services (HHS) in a manner depending on the nature of the breach itself—more nuance and technicality.

The complex and ever evolving nature of the scheme used to distinguish between covered and non-covered entities, along with the potential to incur steep fines, or become the subject of a government investigation—to say nothing of the embarrassment, and potential loss of faith from privacy-violated clients–all underscore the need to consult with attorneys who’ve made it their business to familiarize themselves with the nuance, technicality, and general inner-workings of HIPAA.  At Gaitan Morales, our attorneys regularly counsel health care entities and their subcontractors on such regulatory issues as HIPAA, the HITECH rule, the Red Flag rules and numerous other laws and regulations that govern the medical industry.

To protect your medical practice or associated health care business from a regulatory mishap, call Rafael A. Gaitan,  today at 305.329.1462,  to schedule a free initial consultation and learn more about how the law firm of Gaitan Morales can help you.