HIPAA Compliance for Lawyers

Business Associate Agreements

In June, news of a months-long security breach at the American Medical Collection Agency (AMCA) was made public. To date, 24 separate healthcare organizations have fallen victim to the data breach, which has affected almost 25 million patients. To put this figure into perspective, the latest U.S. Census Bureau data puts the total population of the United States at approximately 327.2 million people. The number of 25 million represents approximately 8 percent of the entire U.S. population. The sheer enormity of this data breach, and other similar breaches, means that in-house lawyers for covered entities must have a thorough understanding of what factors can put their organizations at risk of a breach, and what must be done to mitigate that risk. HIPAA compliance for lawyers has become a necessity.

What is HIPAA Compliance for Lawyers?

Simply put, HIPAA compliance for lawyers requires that lawyers that represent, or that act as in-house counsel for, covered entities (healthcare providers and health plans), be versed in HIPAA rules. HIPAA compliance for lawyers requires that lawyers have a working knowledge of:

  • The HIPAA Privacy Rule
  • The HIPAA Security Rule
  • The HIPAA Breach Notification Rule
  • The HIPAA Omnibus Rule

One vital component of HIPAA compliance for lawyers who represent covered entities, is fluency in business associate agreement drafting and enforcement. 

What Are Business Associate Agreements?

Any individual or entity that:

  1. Performs functions or activities on behalf of a covered entity, that
  2. Requires the individual or entity to access protected health information,

is considered to be a business associate.

Generally, before the covered entity may disclose protected health information (PHI) to the business associate, the CE and the BA must enter into a business associate contract. 

HIPAA Compliance for Lawyers: The Ten Commandments of Business Associate Contracts

According to the Department of Health and Human Services, a business associate contract between a covered entity and a business associate should include, at a minimum, the following ten provisions:

(1) A provision that establishes the permitted and required uses and disclosures of protected health information by the business associate; 

(2) A provision that provides that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law; 

(3) A requirement that the business associate implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementation of the requirements of the HIPAA Security Rule with regard to electronic protected health information (ePHI); 

(4) A requirement that the business associate report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information; 

(5) A requirement that the business associate:

Disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their protected health information; and

Make available protected health information for amendments (and incorporate any amendments, if required) and accountings; 

(6) To the extent the business associate is to carry out a covered entity’s obligation under the HIPAA Privacy Rule, a requirement that the business associate comply with the requirements applicable to the obligation; 

(7) A requirement that the business associate make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity, for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule; 

(8) A requirement that, at the termination of the contract, to the extent feasible, the business associate return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity;

(9) A requirement that the business associate ensure that any subcontractors it may engage on its behalf, that will have access to protected health information, agree to the same restrictions and conditions that apply to the business associate with respect to such information; and

(10) A provision authorizing termination of the contract by the covered entity if the business associate violates a material term of the contract.  

HIPAA Compliance for Lawyers: Business Associate Agreement Enforcement

In-house counsel cannot simply draft a proper agreement and call it a day. HIPAA compliance for lawyers requires that lawyers communicate with their covered entities to ensure there is vigilant monitoring and enforcement of business associates’ compliance with the terms of the agreement once it is in place. If the covered entity suspects the business associate is not complying with one or more terms of the agreement, the covered entity should bring this to the attention of counsel, if counsel is not already aware. Counsel, once informed, may then notify the business associate’s attorneys of any contract compliance deficiencies, so that these deficiencies can be corrected. 

If the lawyers for the covered entity conclude that a material (substantial) term of the contract has been violated, the lawyers should be prepared to draft an appropriately worded notice of termination of the contract to counsel for the business associate. The notice should identify what material provision has been breached; the facts associated with the breach; and should conclude that the covered entity is exercising its right to terminate the contract under the provision authorizing such termination.