HIPAA Consult

July 8, 2005

Answers to your questions about...Updating business associate agreements; unauthorized release of information; penalties for failing to act.

Updating business associate agreementsQ. In 2003, when the privacy rule first took effect, I entered into a business associate agreement with my billing company, as HIPAA requires. Must I now update that agreement in light of the new security standards?

A. Yes, if your billing company handles protected medical information electronically, whether via a computer, a computer disc, a PDA, or a similar electronic device. In such cases, be sure to update your agreement so that your billing company is required to:

A. No, provided you have an appropriate business associate agreement in place and were not aware of the unauthorized releases. As a general rule, you're neither required to monitor a business associate's privacy safeguards, nor responsible for its actions. But if you somehow discover that a vendor with whom you've entered into a business associate agreement has materially breached or violated that contract, you must take reasonable steps to remedy the problem. If your efforts don't work, you must terminate the contract. If you can't terminate the contract (because there are no viable alternatives, for instance), you must report the problem to the US Department of Health and Human Services Office for Civil Rights.

Penalties for failing to actQ. If I become aware of a vendor-related breach of privacy and fail to act, or if I don't enter into an appropriate business associate agreement in the first place, can I be fined?

A. Yes. Each of these is a violation of HIPAA's administrative requirements. This April, the government released a proposed enforcement rule that more clearly spells out the consequences of noncompliance, not only with the administrative rules but with other parts of HIPAA, as well. The new rule proposes civil penalties of up to $100 per violation-and up to $25,000 in a calendar year for repeat violations of the same requirement-or, in extreme cases, criminal sanctions.

Before the government can hold you responsible, though, it must demonstrate, among other things, whether the vendor is your agent and under your control.

Margaret M. Davino mdavino@kbrny.com is a healthcare attorney with Kaufman Borgeest & Ryan, in New York City.

This department answers common HIPAA-related questions. It isn't intended to provide specific legal advice. Please submit questions via e-mail to mehipaa@advanstar.com or by regular mail to Medical Economics, 5 Paragon Drive, Montvale, NJ 07645, ATTN: HIPAA CONSULT. If we select your query, we'll address it in an upcoming issue. Your name will not be used.