Banner

Article

HIPAA Consult

Answers to your questions about...Updating business associate agreements; unauthorized release of information; penalties for failing to act.

Updating business associate agreementsQ. In 2003, when the privacy rule first took effect, I entered into a business associate agreement with my billing company, as HIPAA requires. Must I now update that agreement in light of the new security standards?

A. Yes, if your billing company handles protected medical information electronically, whether via a computer, a computer disc, a PDA, or a similar electronic device. In such cases, be sure to update your agreement so that your billing company is required to:

A. No, provided you have an appropriate business associate agreement in place and were not aware of the unauthorized releases. As a general rule, you're neither required to monitor a business associate's privacy safeguards, nor responsible for its actions. But if you somehow discover that a vendor with whom you've entered into a business associate agreement has materially breached or violated that contract, you must take reasonable steps to remedy the problem. If your efforts don't work, you must terminate the contract. If you can't terminate the contract (because there are no viable alternatives, for instance), you must report the problem to the US Department of Health and Human Services Office for Civil Rights.

Penalties for failing to actQ. If I become aware of a vendor-related breach of privacy and fail to act, or if I don't enter into an appropriate business associate agreement in the first place, can I be fined?

A. Yes. Each of these is a violation of HIPAA's administrative requirements. This April, the government released a proposed enforcement rule that more clearly spells out the consequences of noncompliance, not only with the administrative rules but with other parts of HIPAA, as well. The new rule proposes civil penalties of up to $100 per violation-and up to $25,000 in a calendar year for repeat violations of the same requirement-or, in extreme cases, criminal sanctions.

Before the government can hold you responsible, though, it must demonstrate, among other things, whether the vendor is your agent and under your control.

Margaret M. Davino mdavino@kbrny.com is a healthcare attorney with Kaufman Borgeest & Ryan, in New York City.

This department answers common HIPAA-related questions. It isn't intended to provide specific legal advice. Please submit questions via e-mail to mehipaa@advanstar.com or by regular mail to Medical Economics, 5 Paragon Drive, Montvale, NJ 07645, ATTN: HIPAA CONSULT. If we select your query, we'll address it in an upcoming issue. Your name will not be used.

Related Videos
Jay W. Lee, MD, MPH, FAAFP headshot | © American Association of Family Practitioners
Related Content
Negative browsing habits lead to negative moods: ©Teodor Lazarev -stock.adobe.com
November 25th 2024

Your patients’ browsing habits may be driving their negative moods

Ep 34: U.S. Rep. Earl L. 'Buddy' Carter on physicians getting involved in policy
June 28th 2024

Ep 34: U.S. Rep. Earl L. 'Buddy' Carter on physicians getting involved in policy

© shevchukandrey - stock.adobe.com
November 20th 2024

USPSTF releases the 14th Annual Report to Congress on High-Priority Evidence Gaps for Clinical Preventive Services

Logo: Off the Chart with Medical Economics
January 29th 2021

Telehealth's long-term impact on the business of medicine

I built an atypical family medicine empire: ©JackF - stock. adobe.com
November 19th 2024

I built an empire nobody wants

cash and stethoscope | © Valeri Luzina - stock.adobe.com
November 19th 2024

Take the Staff Salary Survey now!