Risk Management Alert - HIPAA Provisions

09.19.13

A NEW HIPAA REGULATION, WHICH MAY AFFECT BUSINESS ASSOCIATES/LAWYERS


EFFECTIVE DATE – SEPTEMBER 23, 2013


Under the HIPAA regulations, a business associate includes:  1) a person who offers a personal health record to one or more individuals on behalf of a covered entity; 2) a person or entity that provides data transmission services with respect to protected health information (PHI) to a covered entity and that requires routine access to such PHI; 3) a person or entity that undertakes patient safety activities on behalf of a covered entity; or 4) subcontractors, no matter how far removed from the primary business associate,  that create, receive, maintain or transmit PHI on behalf of a business associate.

While there are numerous provisions in the amended HIPAA regulations, three points every attorney should be aware of when dealing with PHI:

1)      Unless an exception applies, an impermissible use or disclosure of PHI, even if accidental or inadvertent, is presumed to be a "breach," unless the HIPAA-covered entity can demonstrate that there is a low probability that the PHI has been compromised based upon, at minimum, a four-part risk assessment.

2)     The new risk assessment factors are significant as they provide a specified structure for the risk assessment that if not adequately performed and documented could provide a basis for imposition of costly penalties.

3)     The Breach Notification Rule extends to business associates and their subcontractors no matter how far removed from the primary business associate.

Every attorney should review these new provisions for complete information and determine how these provisions will impact their current practices, their office procedures, and update them to comply with the new requirements.