AMA Warns “Don’t Let Business Associates Create HIPAA Mess”

HIPAA legal and regulatory compliance can help healthcare entities, such as doctors’ office, mitigate liability risk. However, compliance must include strong HIPAA policies, procedures, and forms that are legally compliant, as well as a culture of compliance. In Don’t Let “Business Associates” Create HIPAA Mess, the AMA warns that business associates should have business associate agreements in place with physicians or other health care providers:

Those are contracts that physicians present to their business associates — outside entities, vendors and individuals — who have access to protected health information. Physicians have had to make sure that their agreements specifically provide that these associates agree not to release any protected health information to a third party without authorization or in violation of the HIPAA privacy rule.

The AMA notes that a properly drafted business associate agreement potentially can help limit physician liability for data breaches and HIPAA violations by a business associate. This is why it is important to hire experienced legal counsel to help protect against unnecessary and unwarranted HIPAA liability exposure. Among other things, the business associate agreement should allow the covered entity to receive reporting from the business associate with respect to HIPAA compliance by the business associate. Under HITECH, all the privacy and security provisions of HIPAA also apply to business associates and to their subcontractors. As the founding fathers said, vigilance is the eternal price of liberty. Regulatory compliance includes a vigilant work culture that is on guard against HIPAA breaches. It appears that despite compliance efforts, many health care organizations (including physician practices) nonetheless experience serious data breaches:

There are many ways data breaches can occur, but the proliferation of mobile device use in health care is increasing the risk of breaches for many organizations. Thirty-one percent of the HIMSS/Kroll survey respondents said use of portable devices were putting them at risk…. Securing patient data on mobile devices has become such an important facet of data security, the Health and Human Services Office of the National Coordinator for Health Information Technology held a roundtable in March to discuss strategies for mobile device security. Another big issue is breaches that are caused by those outside a practice. Twenty-eight percent of respondents said sharing data with external parties was putting them at risk. “There are numerous reports of security breaches that have taken place as a result of the actions taken by business associates handling identifiable health information,” said Lisa Gallagher, senior director of privacy and security for HIMSS.

Any physician practice (whether medical, osteopathic, or naturopathic) or chiropractic practice, or other covered entity under HIPAA, that bills healthcare claims electronically, should have a full set of HIPAA policies, procedures, and forms, as well as training. Our law firm handles HIPAA legal issues and can assess your practice or entity and draft privacy and security documents to facilitate regulatory compliance. Contact our HIPAA attorneys for an assessment of your HIPAA and HITECH privacy and security legal needs.