The privacy of health information is protected by federal rules. These rules, which have been recently updated, affect the handling of “protected health information” (“PHI”) by business associates that process claims or provide data analysis, utilization review, quality assurance, billing, data storage, medical research or other similar services to "covered entities" that use PHI. Covered entities (e.g. hospitals, physicians' practices and health insurance providers) are required to enter into contracts with their business associates handling PHI that protect the privacy and security of patients’ information. Business associates are also required to have agreements with their subcontractors addressing the privacy and security of health information.
A covered entity can be liable for its business associates’ breaches of privacy or security that compromise individuals’ PHI. Similarly, a business associate is liable for the HIPAA violations of its subcontractor. The law requires covered entities to have contracts with their business associates, and for business associates to have contracts with their subcontractors, specifying the duties and responsibilities of each party for protecting PHI and reporting the improper disclosure of PHI. ("Business Associate Agreements")
New formal regulations have expanded the definition of a business associate, thereby broadening the types of parties required to protect PHI and enter the business associate agreements. Business associates now include:
Final regulations require business associates with subcontractors that handle PHI to enter into agreements assuring that the subcontractor will comply with privacy and security rules that involve:
Covered entities should review whether their list of business associates has expanded under the new definition of “business associate,” and put new business associate agreements in place, as needed that meet the expanded requirements of the final regulations. Covered entities, business associates and subcontractors must review and revise their policies, procedures and contracts concerning (1) breach notifications; (2) the sale of PHI; (3) the use of PHI for fund raising; (4) requests to restrict the disclosure of PHI to health plans from individuals who pay out-of- pocket for services; (5) requests for access to PHI in an electronic format; (6) requests to transmit copies of PHI to third persons; (7) disclosure of PHI of deceased patients to family members; (8) disclosure of immunization records for school children; and (9) authorizations for research.