Revenue Cycle Management
COVID-19
Reimbursement
Diabetes Awareness Month
Risk Management
Patient Retention
Staffing
Medical Economics® 100th Anniversary
Coding and documentation
Business of Endocrinology
Telehealth
Physicians Financial News
Cybersecurity
Cardiovascular Clinical Consult
Locum Tenens, brought to you by LocumLife®
Weight Management
Business of Women's Health
Practice Efficiency
Finance and Wealth
EHRs
Remote Patient Monitoring
Sponsored Webinars
Medical Technology
Billing and collections
Acute Pain Management
Exclusive Content
Value-based Care
Business of Pediatrics
Concierge Medicine 2.0 by Castle Connolly Private Health Partners
Practice Growth
Concierge Medicine
Business of Cardiology
Implementing the Topcon Ocular Telehealth Platform
Malpractice
Influenza
Sexual Health
Chronic Conditions
Technology
Legal and Policy
Money
Opinion
Vaccines
Practice Management
Patient Relations
Careers

HIPAA Consult

July 8, 2005

Article

Answers to your questions about...Updating business associate agreements; unauthorized release of information; penalties for failing to act.

Updating business associate agreementsQ. In 2003, when the privacy rule first took effect, I entered into a business associate agreement with my billing company, as HIPAA requires. Must I now update that agreement in light of the new security standards?

A. Yes, if your billing company handles protected medical information electronically, whether via a computer, a computer disc, a PDA, or a similar electronic device. In such cases, be sure to update your agreement so that your billing company is required to:

A. No, provided you have an appropriate business associate agreement in place and were not aware of the unauthorized releases. As a general rule, you're neither required to monitor a business associate's privacy safeguards, nor responsible for its actions. But if you somehow discover that a vendor with whom you've entered into a business associate agreement has materially breached or violated that contract, you must take reasonable steps to remedy the problem. If your efforts don't work, you must terminate the contract. If you can't terminate the contract (because there are no viable alternatives, for instance), you must report the problem to the US Department of Health and Human Services Office for Civil Rights.

Penalties for failing to actQ. If I become aware of a vendor-related breach of privacy and fail to act, or if I don't enter into an appropriate business associate agreement in the first place, can I be fined?

A. Yes. Each of these is a violation of HIPAA's administrative requirements. This April, the government released a proposed enforcement rule that more clearly spells out the consequences of noncompliance, not only with the administrative rules but with other parts of HIPAA, as well. The new rule proposes civil penalties of up to $100 per violation-and up to $25,000 in a calendar year for repeat violations of the same requirement-or, in extreme cases, criminal sanctions.

Before the government can hold you responsible, though, it must demonstrate, among other things, whether the vendor is your agent and under your control.

Margaret M. Davino mdavino@kbrny.com is a healthcare attorney with Kaufman Borgeest & Ryan, in New York City.

This department answers common HIPAA-related questions. It isn't intended to provide specific legal advice. Please submit questions via e-mail to mehipaa@advanstar.com or by regular mail to Medical Economics, 5 Paragon Drive, Montvale, NJ 07645, ATTN: HIPAA CONSULT. If we select your query, we'll address it in an upcoming issue. Your name will not be used.