HIPAA Compliance—by the Non-Health Care Business!
BY MICHAELJ. WOLFSON
Non-health care businesses doing business with health care institutions now can face daunting demands for compliance with the Health Insurance Portability and Accountability Act of 1996, a/k/a "HIPAA." Though HIPAA itself may require some of these, many arise from a misperception of HIPAA's reach and scope and thus may be avoided or reduced.
HIPAA imposes many controls over the release and dissemination of patient related "protected health information" concerning matters such as diagnoses, treatments and insurance ("PHI"). The Act requires of health plans, health care clearing houses and providers ("Covered Entities") "satisfactory assurances" from their "Business Associates" that PHI will be appropriately safeguarded. Covered Entities therefore routinely present their contracting parties with form confidentiality agreements that apply sweeping PHI protection safeguards.
The business faced with such demands should first determine whether it is a Business Associate at all and, second, whether the institution is asking for more than it needs.
Are you a "Business Associate"?
According to the federal Department of Health and Human Services ("HHS") regulations, a Business Associate is a party that performs functions or delivers services involving the use or disclosure of PHI; conversely a vendor is not a Business Associate when it receives no PHI, or if any receipt of PHI is "incidental."
So, determine first whether you will have any need for PHI at all. For example, while a vendor of data processing or billing services to a Covered Entity would probably see PHI and thus be a Business Associate, a vendor of just software to a Covered Entity probably wouldn't.
If a party is not a Business Associate, it may be worth inserting language such as: "[Covered Entity] agrees, and Vendor acknowledges, that, [Covered Entity] will not provide Vendor with any protected health information (as defined by applicable federal and state law or regulations)." Although the covered entity may object that it should not be responsible for withholding PHI, HIPAA already requires that they have systems to control access to PHI. Or, as an alternative, even a standard confidentiality clause would be far less disruptive to the non-Business Associate's operations than detailed HIPAA restrictions.
What are the "Business Associate's" Obligations?
The Covered Entity may seek to apply to the Business Associate all the extensive HIPAA requirements to which it is subject. In addition, its form agreement may also call upon the Business Associate to indemnify the Covered Entity for any breaches of confidentiality restrictions. But HIPAA does not require these provisions; only a written agreement that:
- Restricts the use and disclosure of PHI;
- Applies "appropriate safeguards" to enforce the restrictions;
- Binds agents and subcontractors to the same restrictions and safeguards;
- Requires the reporting of unauthorized use or disclosures, and the return or destruction of all PHI upon the termination of the agreement (or, if not possible, to extend the PHI protections as long as the PHI is retained);
- Accords HHS audit rights over the use and disclosure of the PHI, and obligates the Business Associate to assist HHS with the same; and
- Requires the amendment or correction of PHI held by the Business Associate as may be directed by the Covered Entity.
[Sound familiar? Many of these requirements differ little from the confidentiality requirements that many businesses enter into willingly in doing business with any entity that cares to protect its confidential information or that of others. See John Jewett's article on p. 2 of this issue.-Ed.]
Covered Entity's Liability for a Business Associate's Breach of Confidentiality
If a Covered Entity becomes aware of a Business Associate's breach of its PHI obligations, the Covered Entity is required to take reasonable steps to cure the breach or end the violation; if that is not possible, the Covered Entity must terminate the agreement with the Business Associate (or, report the problem to HHS).
Note that HIPAA does not require a Business Associate to indemnify the Covered Entity; in fact, HIPAA does not even hold a Covered Entity liable for a breach of PHI protections by a Business Associate as long as the Covered Entity takes the required steps on learning of the breach.
Comment: Don't allow a contracting partner to impose restrictions on your use of Protected Health Information that are more onerous than HIPAA's actual requirements!
© ASSOCIATION OF INDEPENDENT GENERAL COUNSEL 2005; (all rights reserved). This article is not intended as legal advice. Consult a qualified attorney for assistance concerning a specific issue or problem.