Don't let "business associates" create a HIPAA mess

Contract Language. By Steven M. Harris, AMNews contributor. June 6, 2005.

CONTRACT LANGUAGE

A column examining the ins and outs of contract issues

SEE ARCHIVES

The Health Insurance Portability and Accountability Act introduced the term "business associate agreements" to the physician vernacular.

Those are contracts that physicians present to their business associates -- outside entities, vendors and individuals -- who have access to protected health information. Physicians have had to make sure that their agreements specifically provide that these associates agree not to release any protected health information to a third party without authorization or in violation of the HIPAA privacy rule.

The question we are most often asked regarding these agreements is: What is my exposure in relation to the actions or omissions of my business associates? Physicians want to know if they are liable once they give their business associates their patients' protected health information, and then the business associates fail to safeguard it.

Your exposure as the covered entity has been difficult to assess due to the lack of regulatory guidelines or clarification. As you know, the HIPAA regulations impose civil and criminal penalties for violations. The Office for Civil Rights has indicated that civil money penalties will be sought against only covered entities, while the Dept. of Justice has indicated that both covered entities and non-covered entities are subject to the HIPAA criminal sanctions.

But some clarification has come. The Dept. of Health and Human Services recently published long-awaited proposed regulations to complete the HIPAA enforcement rule. The regulations include a covered entity's liability -- meaning a physician's liability -- in relation to the actions or inactions of their business associates.