[BreachExchange] HIPAA tips for startups: Negotiating business associate agreements

Audrey McNeil audrey at riskbasedsecurity.com
Tue Sep 27 20:52:23 EDT 2016


http://www.bizjournals.com/milwaukee/news/2016/09/27/
hipaa-tips-for-startups-negotiating-business.html

The first time you walk into a doctor’s office you have to sign an
acknowledgement that you received a copy of the practice’s HIPAA Notice of
Privacy Practices. But, does anyone ever read it (besides health care
lawyers)? While HIPAA is definitely not a new acronym in your vocabulary,
you may not have considered whether and how it impacts your startup.

HIPAA is a federal law that protects the privacy and security of
individually identifiable health information—called “protected health
information” (“PHI”). One of the most widely publicized purposes of HIPAA
is to make health insurance more portable when employees change jobs.

HIPAA, however, far-reaching implications for the health information world.
Its implementation caused the development of national standards for
electronic health care transactions and code sets, unique health
identifiers and security, and thereby served as a catalyst for today’s
proliferation of electronic medical records.

Who needs to comply with HIPAA?

HIPAA covers two categories of individuals/entities: covered entities and
business associates. Covered entities include health care providers, health
plans and health care clearinghouses. Business associates consist of
individuals or entities that perform a service on behalf of a covered
entity that involves creating, receiving, maintaining or transmitting PHI.
Click here for a more comprehensive discussion on compliance (
http://www.reinhartlaw.com/knowledge/hipaa-tips-start-
ups-negotiating-business-associate-agreements/).

You are a business associate. Now what?

As a business associate, startups are required to comply with most of
HIPAA’s security provisions, as well as some of the requirements of HIPAA’s
privacy rule and breach notification rule. Among many of the requirements,
business associates are required to implement certain administrative,
physical and technical safeguards to protect PHI for the purposes of
conducting an annual security risk assessment and notifying individuals of
any breach of their PHI.

What are business associate agreements?

A business associate agreement is generally a stand-alone agreement,
distinct from (or an exhibit to) the main services or license agreements
that the parties sign. That being said, business associate agreements are
very important as they lay out each party’s rights and responsibilities
with respect to PHI. If not correctly negotiated, business associate
agreements can be a source of great liability. Click here for a more
comprehensive discussion of business associate agreements (
http://www.reinhartlaw.com/knowledge/hipaa-tips-start-
ups-negotiating-business-associate-agreements), including their
requirements and why it's important to negotiate them.

What about subcontractors?

As described above, under HIPAA, each business associate must ensure that
any subcontractors that create, receive, maintain or transmit PHI on the
business associate’s behalf agree in writing to the same restrictions and
conditions that apply to the business associate with respect to such
information. That being said, it may not be sufficient to simply repurpose
the business associate agreement the business associate signed with the
covered entity. Instead, careful consideration should be given to
provisions containing timeframes to ensure that all parties are able to
meet their obligations.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160927/7aad5021/attachment.html>


More information about the BreachExchange mailing list