The Health Insurance Portability and Accountability Act of 1996 (HIPAA) created a Privacy Rule and a Security Rule establishing national standards for the protection of certain health information and standards for protecting such information transferred or stored in electronic form. These rules apply to “covered entities” (i.e., health plans, health care providers) as well as “business associates” that receive, use, store or transmit protected health information (PHI). When a covered entity engages in a transaction or contract with a business associate, a Business Associate Agreement is required. Failure to have such an agreement in place may prevent a covered entity from being paid or reimbursed by Medicare/Medicaid or a private insurer. While forms of Business Associate Agreements are readily found on the internet, these “forms” are by no means “standard”. We are experienced in drafting Business Associate Agreements on behalf of health care providers to assure compliance with the law while protecting the provider’s interest.
We recently had the opportunity to assist a large medical practice with negotiating its electronic medical records (EMR) agreement with a third-party provider. The agreement was quite lengthy and had the client simply sign the providers “standard contract”, it could have suffered a material breach of its HIPAA responsibilities. The contract allowed the EMR provider to use the client’s information, including PHI of its patients by “deleting” the PHI and then selling such information to another party. The gathering and analyzing of such data is known as data mining. However, if allowed, the client is at risk if a patient’s PHI is accidentally released. We were able to successfully create safeguards in the contract to protect both our client and their patients. However, without our intervention, the third party provider would have had little to minimum liability exposure in the event of a data breach.