• Revenue Cycle Management
  • COVID-19
  • Reimbursement
  • Diabetes Awareness Month
  • Risk Management
  • Patient Retention
  • Staffing
  • Medical Economics® 100th Anniversary
  • Coding and documentation
  • Business of Endocrinology
  • Telehealth
  • Physicians Financial News
  • Cybersecurity
  • Cardiovascular Clinical Consult
  • Locum Tenens, brought to you by LocumLife®
  • Weight Management
  • Business of Women's Health
  • Practice Efficiency
  • Finance and Wealth
  • EHRs
  • Remote Patient Monitoring
  • Sponsored Webinars
  • Medical Technology
  • Billing and collections
  • Acute Pain Management
  • Exclusive Content
  • Value-based Care
  • Business of Pediatrics
  • Concierge Medicine 2.0 by Castle Connolly Private Health Partners
  • Practice Growth
  • Concierge Medicine
  • Business of Cardiology
  • Implementing the Topcon Ocular Telehealth Platform
  • Malpractice
  • Influenza
  • Sexual Health
  • Chronic Conditions
  • Technology
  • Legal and Policy
  • Money
  • Opinion
  • Vaccines
  • Practice Management
  • Patient Relations
  • Careers

HIPAA Consult


Answers to your questions about...Updating business associate agreements; unauthorized release of information; penalties for failing to act.

Updating business associate agreementsQ. In 2003, when the privacy rule first took effect, I entered into a business associate agreement with my billing company, as HIPAA requires. Must I now update that agreement in light of the new security standards?

A. Yes, if your billing company handles protected medical information electronically, whether via a computer, a computer disc, a PDA, or a similar electronic device. In such cases, be sure to update your agreement so that your billing company is required to:

A. No, provided you have an appropriate business associate agreement in place and were not aware of the unauthorized releases. As a general rule, you're neither required to monitor a business associate's privacy safeguards, nor responsible for its actions. But if you somehow discover that a vendor with whom you've entered into a business associate agreement has materially breached or violated that contract, you must take reasonable steps to remedy the problem. If your efforts don't work, you must terminate the contract. If you can't terminate the contract (because there are no viable alternatives, for instance), you must report the problem to the US Department of Health and Human Services Office for Civil Rights.

Penalties for failing to actQ. If I become aware of a vendor-related breach of privacy and fail to act, or if I don't enter into an appropriate business associate agreement in the first place, can I be fined?

A. Yes. Each of these is a violation of HIPAA's administrative requirements. This April, the government released a proposed enforcement rule that more clearly spells out the consequences of noncompliance, not only with the administrative rules but with other parts of HIPAA, as well. The new rule proposes civil penalties of up to $100 per violation-and up to $25,000 in a calendar year for repeat violations of the same requirement-or, in extreme cases, criminal sanctions.

Before the government can hold you responsible, though, it must demonstrate, among other things, whether the vendor is your agent and under your control.

Margaret M. Davino mdavino@kbrny.com is a healthcare attorney with Kaufman Borgeest & Ryan, in New York City.

This department answers common HIPAA-related questions. It isn't intended to provide specific legal advice. Please submit questions via e-mail to mehipaa@advanstar.com or by regular mail to Medical Economics, 5 Paragon Drive, Montvale, NJ 07645, ATTN: HIPAA CONSULT. If we select your query, we'll address it in an upcoming issue. Your name will not be used.

Related Videos
© National Institute for Occupational Safety and Health
© drsampsondavis.com