The Federal Healthcare Privacy Act (HIPAA) Has Implications for Companies and Professionals Outside of the Healthcare Field

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted with the announced purpose of simplifying the accumulation, retention and use of individual healthcare data requirements. Unfortunately, the actual effect of HIPAA has been to vastly complicate an area of law previously dependent on state regulation and common sense. Much of the complication will, unfortunately, become the problem of businesses outside of the healthcare industry.

Most of HIPAA is directed at healthcare providers and insurers (defined in the statute as "covered entities"), but there are many new and unexpected requirements for any company or person to whom an individual's health, medical or medical billing records (under HIPAA, referred to as "protected health information") are disclosed by the covered entity. These secondary recipients of "protected health information", such as law firms, accounting firms, financial services or billing services companies, are defined under HIPAA as "business associates" of the covered entities.

HIPAA requires that any vendor, attorney, contractor or other outsider to the healthcare industry, coming into contact with protected health information, is required to enter into a "business associate agreement" with the covered entity providing that information to him. The business associate agreement sets forth the conditions under which the business associate handles the protected health information. Failure to abide by the demands of HIPAA risks sanctions including civil penalties up to $25,000.00 per year per patient for each privacy standard broken and criminal penalties of up to ten years in prison.

HIPAA includes billing services, utilization review services, data processing, personnel and practice management as activities requiring a business associate agreement. Even those with more tangential brushes with protected health information, such as law firms defending malpractice cases or professionals providing accounting or financial services, will be required to enter into business associate agreements if they see protected health information.

Business Associates Agreements
The covered entities are generally to be HIPAA compliant by April 13, 2003, although various extensions and grandfathering of prior agreements generally will extend the time period for entry into business associate agreements. There is still time to comply.

HIPAA leaves the particular contents of each business associate agreement to the entities involved while setting forth several essential elements. In broad terms, each business associate agreement must:

1. Set forth exactly what reasonable uses and disclosures of personal health information are allowed to the business associate in connection with his duties;
2. Establish what safeguards are in place to prevent greater disclosure than is necessary. These safeguards should be tailored to the business associate and to any others to whom such personal health information might be disclosed in the course of the business associate's duties;
3. Provide for self-reporting of any violation by the business associate, its employees or others under its control and;
4. Agree to provide all its own administrative practices and records to the government in order to allow the Department of Health and Human Services to insure HIPAA compliance.

Many covered entities will also demand that their business associates provide additional protection for them against any violations of HIPAA. Already, covered entities have sought to include items such as:

1. Indemnification Clauses - requiring that the business associate pay any civil damages awarded against the covered entity for a violation of patient privacy committed by the associate. Generally such an indemnification clause would also require a business associate to pay attorney's fees and expenses for the covered entity.
2. Insurance Requirements - requiring that the business associate have insurance for any and all breaches of patient privacy with the covered entity listed as a named insured.
3. Warranty Against Bankruptcy - a statement by the principals or owners of the business associate that it is not bankrupt or contemplating bankruptcy and that it has the capacity and ability to perform its obligations under the agreement.
4. Warranty of HIPAA Proficiency - a statement that the business associate is knowledgeable about the requirements of HIPAA as are its employees and independent contractors.

Although the federal government does have a model business associate agreement, many of the covered entities are requesting that their business associates sign an agreement allocating more responsibility and liability to the business associates than would be required by HIPAA.

HIPAA Is Just Now Becoming Effective And Litigation Concerning Claims Made Under It Is Sure To Follow Over The Next Several Years
As with any new federal statutory scheme it is difficult to say how HIPAA will be shaped by litigation. There is no question, however, that in apportioning liability between the covered entities and the business associates the central factor will be the business associate agreement.

As litigation ensues over alleged HIPAA violations, the central issue between the covered entities and the business associates will be the wording of their business associate agreements.

A thorough review and preparation of the business associate's agreement on the part of both the covered entity and the business associate can allocate responsibility more clearly and minimize litigation and costs. At Dilworth Paxson, our healthcare group has the experience and knowledge to guide you through HIPAA and the problems with business associate agreements.