• Home
• Firm Information
• Practice Areas
• Firm Directory
• News / Events
• WomenatLaw
• Careers
• Contact
• Search

• Firm News
• 12/15/08 :
• New Privacy Regulations: Big Job Ahead for Businesses
• 10/01/08 :
• Hanify & King Opens New Office in New York
• 7/08/08 :
• Hanify and King Receives Highest Recognition from Chambers USA
• 6/01/08 :
• Hanify & King atLaw Spring 2008
• 4/08/08 :
• Hanify & King Opens New Office in DC
• More News

atLaw

In the last days of the Clinton administration, the Department of Health and Human Services, acting under the Health Insurance Portability and Accountability Act, or HIPAA, published the Privacy Rule, which prescribes new, nationwide standards for the privacy of individually identifiable health information. The Privacy Rule went into effect on April 14, 2003, with a grace period of a year for certain smaller health plans.

Health care providers and health plans must by now be familiar with the new requirements imposed on them. The Rules, however, also indirectly affect other businesses that have access to health information in the course of their business. Under the Privacy Rule, all “covered entities” (health care providers who transmit health information in electronic form, health plans, and health care clearinghouses) must enter into written agreements with all businesses that perform or assist in any function or activity involving the use or disclosure of individually identifiable health information on behalf of the covered entity. In the written agreement, the business (known as a “business associate”) must provide the covered entity with satisfactory assurances that it will appropriately safeguard the information. Such agreements are likely to require the business associate to implement administrative, physical, and technical safeguards to reasonably and appropriately protect the confidentiality, integrity, and availability of health information stored electronically. The agreement likely will also require the business associate to impose an obligation of implementing reasonable and appropriate safeguards on its agents and subcontractors, and to report security incidents of which it is aware to the covered entity. These particular requirements will become mandatory in 2005, when the Security Rule, published by HHS in February 2003, becomes effective. Who is affected? Companies that contract with health care providers to perform such tasks as claims processing, data analysis, utilization review, and practice management, among others, are likely to find themselves asked to sign such an agreement. Any business that provides services to a health plan, healthcare clearinghouse, or health care provider and that has access to patients’ individually identifiable health information will thus be indirectly affected by the new rules.

Even businesses that do not have continuing relationships with health care providers or plans should be aware of the new requirements. For example, a business that is hired, on a one-time basis, to update a health plan’s computer network or to consult on its billing practices may find itself required to sign a business associate agreement if, in the course of its work with the plan, it will make use of individually identifiable health care information.

As a practical matter, business associates should consider drafting their own business associate agreements rather than relying on the covered entity to provide an agreement. Businesses know their own technology and processes better than do their customers, and can therefore better tailor the agreements to suit their circumstances. As in any contract situation, it may be advisable to shift the risks to the other party. Thus, for example, a business associate with sufficient bargaining power may want to consider negotiating for the covered entity to indemnify it for costs it incurs if a patient claims that the covered entity violated the regulations. A business associate should also seek to include a clause making it clear that no third parties are beneficiaries of the contract between it and the covered entity. Since the business associate that violates the agreement is likely liable only for breaches of its contract (and not for violations of the Rules themselves), this provision may help to shield the business associate from some claims, though there is a danger that patients could assert claims against business associates for violations of their privacy under state law rather than for breach of the contract or violation of the HIPAA Rules themselves. Finally, the Rules permit, but do not require, the agreement to contain a provision giving the business associate an opportunity to cure breaches of the agreement. Business associates might seek to include such a provision.

The legal implications of HIPAA for non-healthcare businesses have yet to be fully developed. While the Rules filter through vertical markets, “business associates” need to be especially alert to the still undefined risks.