Protecting Health Information

The privacy of health information is protected by federal rules. These rules, which have been recently updated, affect the handling of “protected health information” (“PHI”) by business associates that process claims or provide data analysis, utilization review, quality assurance, billing, data storage, medical research or other similar services to "covered entities" that use PHI. Covered entities (e.g. hospitals, physicians' practices and health insurance providers) are required to enter into contracts with their business associates handling PHI that protect the privacy and security of patients’ information. Business associates are also required to have agreements with their subcontractors addressing the privacy and security of health information.

Liability for Vendors

A covered entity can be liable for its business associates’ breaches of privacy or security that compromise individuals’ PHI. Similarly, a business associate is liable for the HIPAA violations of its subcontractor. The law requires covered entities to have contracts with their business associates, and for business associates to have contracts with their subcontractors, specifying the duties and responsibilities of each party for protecting PHI and reporting the improper disclosure of PHI. ("Business Associate Agreements")

Expanded Definition of Business Associate

New formal regulations have expanded the definition of a business associate, thereby broadening the types of parties required to protect PHI and enter the business associate agreements. Business associates now include:

  • Patient safety organizations;
  • Health information organizations (“HIOs”) (i.e. governmental non-profit organizations that handle the electronic exchange of patient health records), e-prescribing gateways and other organizations that routinely access PHI;
  • Data storage companies maintaining PHI;
  • Entities that offer personal health records on behalf of covered entities;
  • Subcontractors that create, receive, maintain or transmit PHI for another business associate.

Business Associate Agreements

Final regulations require business associates with subcontractors that handle PHI to enter into agreements assuring that the subcontractor will comply with privacy and security rules that involve:

  • Notifying covered entity of breaches;
  • Access to a copy of e-PHI;
  • Disclosure of PHI to HHS, if required, for investigations;
  • Accounting to individuals for disclosures of PHI;
  • Complying with security rules by establishing safeguards to protect PHI via administrative, technical and physical means;
  • Complying with rules on accounting for disclosures and revised sales and marketing rules; and
  • Reporting breaches of PHI whether or not any harm has been done.

Next Steps for Covered Entities, Business Associates and Subcontractors

Covered entities should review whether their list of business associates has expanded under the new definition of “business associate,” and put new business associate agreements in place, as needed that meet the expanded requirements of the final regulations. Covered entities, business associates and subcontractors must review and revise their policies, procedures and contracts concerning (1) breach notifications; (2) the sale of PHI; (3) the use of PHI for fund raising; (4) requests to restrict the disclosure of PHI to health plans from individuals who pay out-of- pocket for services; (5) requests for access to PHI in an electronic format; (6) requests to transmit copies of PHI to third persons; (7) disclosure of PHI of deceased patients to family members; (8) disclosure of immunization records for school children; and (9) authorizations for research.