QUESTION: What is HIPAA? Does it apply to me?
ANSWER: HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. HIPAA does the following:
- Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs;
- Reduces health care fraud and abuse;
- Mandates industry-wide standards for health care information on electronic billing and other processes; and
- Requires the protection and confidential handling of protected health information
While all four are important, we will focus on HIPAA liability for business associates related to the handling of protected health information (PHI).
Below are specific HIPAA violations that business associates can be directly liable for. Key areas of liability include a business associate’s failure to:
- Comply with the HIPAA Privacy Rule’s restrictions regarding the use and disclosure of protected health information (PHI);
- Comply with the HIPAA Security Rule’s requirements for safeguarding electronic PHI (ePHI);
- Provide notification when it discovers a breach of unsecured PHI; and
- Enter into business associate agreements with subcontractors.
The HIPAA Privacy, Security and Breach Notification Rules (HIPAA Rules) apply to covered entities, which include health plans, health care clearinghouses and most health care providers. The HIPAA Rules also apply to other entities that perform functions or activities on behalf of a covered entity when those services involve access to, or the use or disclosure of, PHI. These entities are called business associates. Examples of business associates include TPAs, pharmacy benefit managers, attorneys or auditors that use PHI when performing their professional services, and health plan consultants or brokers.
If a covered entity uses a business associate, there must be a written agreement between the parties, called a business associate agreement, that requires the business associate to comply with certain requirements under the HIPAA Rules.
Business associates are directly liable for the following HIPAA violations:
- Failing to comply with the requirements of the Security Rule;
- Impermissible uses and disclosures of PHI;
- Failing to provide breach notification to a covered entity (or another business associate);
- Failing to enter into business associate agreements with subcontractors that create or receive PHI on the business associate’s behalf, and failure to comply with the implementation requirements for those agreements;
- Failing to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement;
- Failing to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request;
- Failing, in certain circumstances, to provide an accounting of PHI disclosures;
- Failing to disclose a copy of electronic PHI (ePHI) to either the covered entity, the individual or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
- Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules; and
- Failing to provide HHS with records and compliance reports, cooperate with complaint investigations and compliance reviews, and permit access by HHS to information, including PHI, relevant to determining compliance.
Zywave produces an excellent HIPAA privacy and security compliance toolkit for employers that you can access here.