Articles Tagged with Business Associates

Published on:

Healthcare providers, health plans, health care clearinghouses, and their business associates have an obligation under the Health Insurance Portability and Accountability Act (HIPAA) to protect patient health information protected under the law. Regulations issued by the Department of Health and Human Services (HHS) under HIPAA require HIPAA covered entities and their business associates to implement policies and procedures to address the disposal of electronic protected health information (PHI) and the hardware or electronic media on which it is stored. As a result, secure data disposal is a key process for HIPAA covered entities and their business associates.

The covered entity or business associate must have policies and procedures to ensure PHI cannot be inadvertently disclosed during or after disposal or reuse of its storage media. Next to the theft of lost and stolen laptops and media, the second most common subject of enforcement by the HHS Office for Civil Rights (OCR) has been improper disposal of PHI. For example, South Shore Hospital near Boston faced an attorney general enforcement action after the hospital retained a data management company to dispose of computer tapes containing PHI, but the tapes were lost in transit. The hospital failed to delete the PHI from the tapes before shipping them.[1] In another case, the OCR forced Affinity Health Plan to pay over $1.2M after it returned photocopiers to a leasing company without first removing electronic PHI from them.[2]

Some of the OCR enforcement activities concerned cases involving the improper disposal of paper PHI. The security of paper PHI falls under the Privacy Rule, rather than the Security Rule.[3] In one of the OCR cases, workers left boxes of paper medical records on a retiring physician’s driveway while he was away.[4] In one attorney general enforcement action, the Massachusetts attorney general sued former owners of a medical billing practice and four pathology groups after they improperly disposed of paper records with sensitive PHI in a public dump, which were found by a Boston Globe photographer. The former owners paid $140,000 to settle the claim.[5]

Published on:

If your business provides services to healthcare providers or health insurance companies, your business may have data privacy and security requirements under a federal law called “HIPAA” (the Health Insurance Portability and Accountability Act). If your business offers an online service or application, the first time you may have heard of HIPAA is when your potential customer asks you to sign a “business associate agreement.” Even if you don’t sign a business associate agreement, you may have compliance obligations under HIPAA. And if you fail to comply with HIPAA, you may face penalties and liabilities for violations.

Health records are among the most sensitive sets of information about us. The results of an unauthorized disclosure of health records could be devastating. Leakage of health records could lead to victims’ embarrassment, stigma, job loss, and even identity theft. Following concerns about the privacy and security of health records in the 1990s, the public began to demand protection to ensure that the healthcare industry would implement controls over what information was gathered from patients, how the information could be shared, and the secure management of that information. When Congress overhauled the healthcare laws and called for greater use of electronic transactions, Congress was aware of the need for protections over the privacy and security of health information.

The need for simplifying the administration of healthcare, coupled with a public concern over privacy and security, prompted Congress to include requirements for privacy and security in landmark healthcare legislation enacted in 1996. The 1996 legislation, called the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”),[1] has had a broad impact on the healthcare industry since its enactment, transforming practices for creating, storing, managing, transmitting, and disclosing health information in the United States. Later, Congress passed the Health Information Technology for Economic and Clinical Health Act, also called the “HITECH Act.”[2]