Practice is liable if contractor discloses patient PHI

Q: I’ve heard that new Health Insurance Portability and Accountability Act (HIPAA) rules would make our practice liable if a business we contract with discloses a patient’s protected health information (PHI). Is that true?

A: Yes. In January, the government published a final rule regarding HIPAA that changes the ways medical practices maintain, use, and disclose PHI. The rule makes a medical practice liable for the acts or omissions of its agents, including an employee or a business associate.

As an example, if your billing company-which qualifies as a business associate-improperly uses or discloses PHI, then it will be subject to penalties, as will your practice as the covered entity.

Because you may now be exposed to a business associate’s liability, it is important to make sure that you have a proper agreement addressing the shifting of responsibility or fault in the event of a PHI breach.

Addressing your business associate relationships is one step in updating your practice with proper HIPAA documents that will be required before the September 23 compliance deadline. Other required steps include updating your HIPAA privacy policies, complying with maintenance of electronic PHI, implementing required privacy safeguards, and understanding your new practice obligations.

The author is the healthcare department manager for Kirschenbaum & Kirschenbaum PC in Garden City, New York. Engage with us at www.twitter.com/MedEconomics and www.facebook.com/MedicalEconomics.