By: Mathew J. Levy, Esq. & Stacey Lipitz Marder, Esq.
Email the Author

Overview:

Throughout a health care provider’s career, he/she will often enter into several relationships with third party vendors - billing companies, EMR companies, marketing companies, internet providers, staffing companies and medical device/equipment suppliers to name a few.  The relationship between these third party vendors and health care providers is important not only from a business perspective, but also a compliance perspective.  These third party vendors often have access to the protected health information of the practice’s patients, rendering such vendors as business associates under the Health Insurance Portability and Accountability Act (“HIPAA”).  Therefore, it is imperative that health care practices understand the applicable rules and regulations governing the relationship between practices and such vendors, and comply with same.  This is especially important in light of the new Health Information Technology for Economic and Clinical Health Act (“HITECH Act”)[1], which amended HIPAA, as there are now more stringent requirements which must be met with respect to the relationship between covered entities (including health care practices and providers) and business associates.  

What is a business associate?:

As per the HITECH Act, business associates are individuals and entities that are not part of a covered entity’s workforce and that engage in activities such as claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; patient safety and repricing, and create, receive, maintain or transmit protected health information to perform certain functions or activities on behalf of a covered entity.  Therefore, if a business associate has access to such protected health information, even if it does not view such information, it is considered a business associate and must therefore comply with all applicable rules and regulations. The final rules also indicates that subcontractors (individuals or entities that business associates delegate functions, activities or services other than a member of such business associate’s work force) that create, receive, maintain or transmit protected health information on behalf of business associates are now considered business associates. Therefore, all requirements and obligations applying to business associates also apply to subcontractors. 

Business Associate Agreements:

Under HIPAA, covered entities were always required to enter into HIPAA compliant business associate contracts with their business associates so that covered entities could obtain "satisfactory assurances" from a business associate that the business associate would appropriately safeguard protected health information.  Amongst other things, HIPAA required business associate agreements to contain language identifying permitted and required uses and disclosures, a limitation on the business associate using or disclosing protected health information other than as stated in the business associate agreement or as required by law, and a statement that the business associate would use appropriate safeguards to prevent the inappropriate use or disclosure of protected health information.

As per the HITECH Act, there are additional requirements that must be met with respect to the business associate agreement, including having language indicating that business associate have compliant written security policies and procedures, as well as specifying that business associates must timely report breaches of unsecured protected health information to the covered entity.  Furthermore, all business associate agreements should indicate that business associates should enter into agreements with their subcontractors in order to ensure that any protected health information disclosed is adequately protected. As such, it is recommended that such business associate agreements be revised to make certain that the business associates comply with the electronic security rules under HIPAA.  Interestingly, under the HITECH Act, business associates are now also required to enter into HIPAA compliant business associate agreements with their subcontractors, although covered entities are not required to enter into business associate contracts with their business associates’ subcontractors. 

Although HHS now has direct enforcement authority over business associates and subcontractors, business associate agreements are still important in order to have business associates/subcontractors remain contractually liable. 

Conclusion:

In sum, health care providers should immediately evaluate their relationships with their vendors, including identifying which vendors constitute business associates in order to ensure that they have compliant business associate agreements in place.  That being said, covered entities who have business associate agreements already in place should have their business associate agreements reviewed so that the appropriate amendments can be made if necessary, and those covered entities without business associate agreements in place should have such agreements drafted immediately.   In addition to having compliant business associate agreements in place, covered entities need to make certain that their privacy and security policies, as well as HIPAA authorization forms, are compliant, and that their staff is informed of such changes.  The federal government has invested a significant amount of money with the Office of Civil Rights (the branch of HSS responsible for enforcement of HIPAA violations), and has indicated that it will be conducting an increasing number of audits in the near future in order to identify instances of non-compliance.   Such violations carry steep penalties and health care providers need to protect themselves and their practices so that exposure is limited. 

About the Authors:

Mathew J. Levy is a Partner of the firm and co-chairs the Firms corporate transaction and healthcare regulatory practice. Mr. Levy has particular experience in advising health care clients with respect to contract issues, business transactions, practice formation, regulatory compliance, mergers & acquisitions, professional discipline, healthcare fraud & billing fraud, insurance carrier audits including prepay and post payment review, litigation & arbitration, and asset protection-estate planning. You can reach Mathew Levy at 516-926-3320 or email: mlevy@weisszarett.com.

Stacey Lipitz Marder is an associate at Weiss Zarett Brofman Sonnenklar & Levy, PC., with experience representing healthcare providers in connection with transactional and regulatory matters including the formation and structure of business entities, negotiating and drafting contracts and commercial real estate leases, stock and asset acquisitions and general corporate counseling.  Ms. Marder also has experience advising healthcare clients on a wide range of regulatory issues including Stark, the Anti-Kickback Statute, fraud and abuse regulations, HIPAA, reimbursement and licensing matters.


[1]  On January 17, 2013, the U.S. Department of Health and Human Services (HHS) released the omnibus regulations under HIPAA , including implementing changes made by the HITECH Act (the final rule).  The final rule is effective September 23, 2013.