[BreachExchange] Who is considered a business associate under HIPA?

Thu Jan 12 20:04:58 EST 2017

http://www.thedailyreporteronline.com/news/2017/01/12/who-is-
considered-a-business-associate-under-hipa/

A white paper published this week by the law firm of McDonald Hopkins,
which has an office in Columbus, clarifies who is considered a business
associate under the Health Insurance Portability and Accountability Act of
1996, or HIPPA regulations.

“These days, properly identifying business associates can mean the
difference between a company complying with federal regulations or being in
the middle of a multi-million dollar settlement,” according to a statement
from the firm. “To complicate matters further, HIPPA rules have changed and
the definition of a business associate has expanded.”

Rick Hindmand, a health care attorney at the firm’s Chicago offices, said
that lately, McDonald Hopkins has been seeing businesses and health care
organizations forced into expensive settlements because they don’t realize
when they need a business associate agreement in place.

“Some businesses and subcontractors like IT or cloud service providers
might not even know they are handling health care information and
therefore, subject to HIPPA rules,” Hindmand said. “We prepared this white
paper because we want our clients and others to have guidance on how to
keep their organizations in compliance with ever-changing privacy and
security standards.”

According to the white paper, a wide range of vendors and contractors that
perform services or other functions for health care providers or health
plans face substantial obligations and potential liabilities as “business
associates” under the Privacy, Security and Breach Notification Rules
included in health care disclosure regulations.

The HIPPA rules allow covered entities to disclose personal health
information to business associates and allow those associates to create and
receive personal health information on behalf of the covered entity,
subject to the terms of a business associate agreement between the parties.

“Historically, business associates were contractually required to maintain
the privacy, and protect the security, of (personal health information) as
provided in their business associate agreements — that is, if they entered
into a business associate agreement,” the paper states. “But until
recently, business associates were not subject to sanctions under the HIPPA
rules for noncompliance with their business associate agreements or HIPPA
rules.”

Under the Omnibus Rule issued by the U.S. Department of Health and Human
Services Office for Civil Rights, HIPPA rules were amended and took effect
in 2013.

Those amendments, in conjunction with the HITECH Act signed into law by
President Barack Obama in 2009, expanded HIPPA rule obligations to business
associates and expanded the definition of “business associate” to include
cloud vendors and any company that stores or transmits health information
along with any subcontractors of those associates.

“Though covered entities and business associates are required to enter into
business associate agreements, anyone who performs services or functions
that fit within the definition of business associate will be subject to the
business associate obligations under the HIPPA rules, even if no business
associate agreement is signed,” according to the paper. “Therefore,
business associates (as well as covered entities) have a proactive
obligation to identify their business associate relationships and satisfy
the HIPPA rules in connection with those relationships.”

In its October 2016 guidance on cloud computing, the Office for Civil
Rights confirmed that a cloud service provider that creates, receives,
maintains or transmits electronic personal health information on behalf of
a health care provider is a HIPPA business associate, even if all of the
health information is encrypted and the service provider cannot access it.

The paper also points out that, in 2016, the Catholic Health Care Services
of the Archdiocese of Philadelphia entered into a $650,000 settlement with
the Office of Civil Rights, demonstrating the severe penalties that
companies face for failures to implement safeguards under HIPPA rules.

“It is also important to keep in mind that business associates are
potentially subject to Office of Civil Rights’ HIPPA audits,” the paper
states. “Moreover, state attorneys general and the Federal Trade Commission
have also taken enforcement action against business associates.

“With expanded business associate obligations, scrutiny and related
exposure, it is more important than ever to recognize all business
associate relationships and ensure that appropriate safeguards are
implemented.”

McDonald Hopkins also operates an office in Cleveland as well as a national
health care practice.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170112/8893cd79/attachment.html>