HIPPA: Covered Entities and Business Associate Agreements

Posted by Aaron Harshman, on October 7, 2016

The internet and mobile technology drives the demand for instant access to information to new heights daily.  While we want more information on more systems accessible from more devices, security, contract, and privacy considerations sometimes lag behind.  In some cases, the developing mentality driving access to information overshadows the duty of each person handling and transmitting sensitive data, particularly private health data.

Just recently, Healthcaredive.com reported that Care New England Health System (“CNE”) will be paying $400,000 and required to implement corrective action to address potential HIPAA violations.  HIPAA is the Health Insurance Portability and Accountability Act.  The Act, among other things, establishes a mandatory standard for electronic health care transactions, records, and treatment of identifying data received, retained, or used by covered health care providers.  CNE was found in violation by the Department of Health and Human Service’s Office for Civil Rights (“OCR”), the governmental body typically responsible for enforcement of HIPAA.  CNE’s violations?  Lost back-up tapes and Business Services Agreements which had not been updated since 2005.

As a business owner, what does this mean for you?

Firstly, it is important to know if you are subject to HIPAA.  Parties that are subject to HIPAA are normally called covered entities.  A covered entity includes a healthcare provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA.  Obvious examples are doctors, dentists, therapists, and insurance companies if they send medical information or medical billing information electronically.  However, there is an additional category of entities which are also responsible under the rules: Business Associates.  Business Associates under HIPAA include persons or companies that offer a personal health record to one or more individuals on behalf of a covered entity, a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of a business associate, and more.

What does this mean for you if you are a covered entity?  Your company must know each of the companies and vendors with whom it works, and know which ones receive some kind of personal health information from you.  With each of those companies and vendors, you will need to enter into a Business Associate Agreement in order to ensure that you can disclose the information to that party.  Otherwise, disclosing the health or billing information may be considered a breach in violation of HIPAA.  As we learned from the case of CNE, even if you have the agreement, you must verify that such agreements are up to date and legally sufficient.

What does this mean for you if you are a business associate to a covered entity?  You may need to take inventory of the companies that have disclosed this type of information to you in the past.  You may need to complete Business Associate Agreements with the covered entities with whom you continue to work.  You may be responsible to report to the government or covered entities with whom you no longer work.  Each situation is fact-sensitive, and you should seek qualified legal advice to guide your decision-making.

The most important thing is to be aware and to act soon if you believe you are a covered entity disclosing in violation of HIPAA or a business associate receiving information in violation of HIPAA.  Correcting the problem may be relatively inexpensive compared to facing sanctions by the OCR.  For example, penalties may be from $0-$100 per violation for an accidental violation, but could grow to $10,000-$50,000 or more per violation if the violations were due to willful neglect.

Whatever your situation, act today to improve it.  Our team is experienced in all aspects of business law and can advise you on how to comply with HIPAA and reduce your risk before it becomes a problem.

For further reading on CNE and business associate agreements, read this.


**Reiling Teder & Schrier, LLC is an Indiana Limited Liability Company. The information contained in this website has been prepared by Reiling Teder & Schrier, LLC for informational purposes only, and is not legal advice. The information on this website should not be relied upon to make any decision, legal or otherwise. If you have any specific questions or inquiries regarding any of the information contained in this website, you should consult with an attorney licensed in your state. The information contained in this website pertains only to matters of Indiana law and the laws of other states may be completely different from the laws of the State of Indiana.