South Carolina Lawyer
Vol. 14, No. 3, Pg. 35.
HIPAA requirements for lawyers - business associate contracts
35HIPAA requirements for lawyers - business associate contractsBy Gerald E. DeLossUnder HIPAA, the Health Insurance Portability and Accountability Act, regulations have been promulgated that require health care providers, plans and clearinghouses to enter into contracts with third parties, known as "business associates." Lawyers are included under the definition of "business associates." These contracts will impose a variety of conditions on lawyers, including requiring the production of internal documents to the government.
This article discusses the background and essential elements of the HIPAA regulations, the requirements for business associate contracts and the unique issues that arise in the attorney-client relationship.
36 Background and history
Congress enacted HIPAA in 1996. The Department of Health and Human Services (DI-HS) subsequently promulgated regulations under HIPAA dealing with privacy and security of health information.
These regulations set forth at 45 C.F.R. Pts. 160 and 164 are entitled "Standards for Privacy of Individually Identifiable Health Information" (Privacy Rule). The compliance date for health care providers, health plans other than small health plans, and health care clearinghouses is April 14, 2003. 45 C.F.R. § 164.534. The compliance date for small health plans is April 14, 2004.45 C.F.R. § 164.534.
On March 27, 2002 the Bush administration issued proposed amendments to the Privacy Rule. The final version of the Privacy Rule was issued on August 14, 2002.67 Fed. Reg. 53272. Most, if not all, of the proposed amendments were incorporated into the Final Rule.
The Privacy Rule governs the use or disclosure of protected health information (PHI) by a covered entity. PHI is information that may identify an individual and relates to the past, present or future physical or mental health condition of that individual; the provision of health care to that individual; or the past, present, or future payment for such health care. 45 C.F.R. § 164.501. A "covered entity" includes a health care provider who transmits information electronically, a health plan, or a health care clearinghouse. 45 C.F.R. § 160.103. Under the Privacy Rule, a covered entity may only use or disclose PHI in these types of situations:
* to the individual who is the subject of the PHI (45 C.F.R.§ 164.502);
* to carry out treatment, payment or health care operations (45 C.F.R. §164.506);
* under an allowed exception in the Privacy Rule (45 C.F.R. § 164.502);
* pursuant to a valid "authorization" (45 C.F.R. § 164.502;) or
* where the PHI has been "de-identified" (45 C.F.R. § 164.502).
In addition, when using or disclosing PHI the covered entity must make reasonable efforts to limit the use or disclosure to the "minimum necessary" PHI, to accomplish the intended purpose except when treating the individual or when authorization has been granted. 45 C.F.R. § 164.502.
Penalties for failure to comply
A covered entity's failure to comply with the Privacy Rule's requirements may result in civil and criminal penalties. DHHS may impose penalties of up to $100 per violation, for a maximum of $25,000 per person, per year. 42 U.S.C. § 1320d-5. In addition, fines of up to $50,000, one year in jail or both may be imposed. 42 U.S.C. § 1320d-6. If the covered entity's actions were committed under false pretenses, then a fine of up to $100,000, imprisonment of up to five years or both may be imposed. 42 U.S.C. § 1320d-6. Finally, if the misconduct occurred with the intent to sell, transfer or use for commercial advantage, personal gain or malicious harm, then a fine up to $250,000, imprisonment up to 10 years or both, may be imposed. 42 U.S.C. § 1320d-6.
The Privacy Rule only directly covers providers, plans and clearinghouses. However, the Rule indirectly governs certain third parties via the covered entities' contracts with the third parties. The third parties, "business associates," are bound to numerous contractual restrictions that must be imposed under the Privacy Rule.
A business associate means a person other than a member of the covered entity's workforce who performs or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information, including an entity who:
Provides, ..., legal, actuarial, accounting, consulting, data aggregation, ..., management, administrative, accreditation, or financial services to or for a covered entity, ..., where the provision of the service involves the disclosure of individually identifiable health information....
45 C.F.R. § 160.103 (emphasis added). As is clear from the definition, lawyers may be business associates if the lawyer's services involve the use or disclosure of health information. Those lawyers that fall under the definition must enter into business associate contracts with their covered clients.
If the covered entity knows of a violation by the business associate, then the covered entity must: Take steps to cure the breach; if cure is not possible, then terminate the Business Associate contract; and If termination is not feasible or possible, then report the problem to the DHHS. 45 C.F.R. § 164.504.
If the covered entity fails to take appropriate action, then it will be in violation of the Privacy Rule and subject to the penalties outlined above. Because the Privacy Rule does not directly govern business associates, the business associate is not subject to the penalties or sanctions.
37 Business associate contracts
The Privacy Rule requirements for business associate contracts are divided into restrictions for public business associates and covered entities and non-public business associates and covered entities.
If either party is non-public, then the Privacy Rule imposes the following general requirements for business associate contracts.
First, the contract must establish the permitted and required uses and disclosures by the business...