- HIPAA: Does Your Lease Comply?
- May 22, 2013 | Authors: Stacey A. Borowicz; Simi Botic
- Law Firm: Dinsmore & Shohl LLP - Columbus Office
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) protects all "individually identifiable health information," commonly referred to as protected health information (“PHI”), held or transmitted by a covered entity or its business associates. A “Business Associate” is any party that may be required to use, disclose or create PHI from or on behalf of a Covered Entity. Although most landlord and tenant relationships do not require business associate agreements, health care providers must ensure that their leases contain language to address the confidentiality and restricted access of all PHI.
When drafting or amending a healthcare provider lease, review and address the following:
1. Are the landlord and tenant business associates? If yes, the lease should contain a copy of the parties’ business associate agreement that outlines each party’s obligations with respect to PHI and address any specific access limitations.
2. If the parties are not business associates, make certain there is a provision that expressly acknowledges the existence of PHI, the confidentially of PHI, and the restricted access and safeguards in place that prohibit the non-covered entity’s access to the provider’s PHI.
3. If HIPAA training is necessary, spell out who will be responsible for the training (i.e. landlord or tenant) and who will be required to attend.
4. Revise any provisions that conflict with HIPAA, including any provision that permits unrestricted access by landlord in any area of a building with PHI. Ensure that the landlord is prohibited from putting liens on patient files or any asset that stores PHI.
5. Add a termination provision that allows the covered entity to terminate the lease without penalty if the landlord violates HIPAA or the HIPAA related restrictions in the lease.
Health care providers should review their current leases and subleases annually to ensure HIPAA compliance.