Business Associate Agreement Under HIPAA: Your Clients Are Protected; Are You?

nat rosasco • August 2, 2018

 Representing healthcare clients is a very involved and complex task for any attorney to handle. This is especially true from a compliance perspective. The Health Insurance Portability & Accountability Act of 1996 (“HIPAA”) provides the requirements for the privacy and security rules regulating protected health information (“PHI”) of individuals and entities.


Additionally, the HIPAA Privacy Rule and Security Rule (the “Rule”) set forth the rules for enforcing HIPAA violations and handling notifications involving any breach involving PHI (a “Breach”). Individuals and organizations required to comply with the Rule are called “Covered Entities.” However, the application of HIPAA does not stop at Covered Entities. HIPAA also applies to the business associates of Covered Entities, a role that is occupied by many attorneys representing Covered Entities.


What is a Business Associate?

On January 25, 2013, the final changes to the Rule were published. Under the Rule, a “business associate” of a Covered Entity can be held directly liable under HIPAA for a Breach. The Rule provides for three types of business associates working with or on behalf of Covered Entities: (1) business associate subcontractors; (2) entities routinely transmitting and accessing PHI; and (3) personal health record vendors.


Generally speaking, attorneys representing Covered Entities or business associates are business associate subcontractors if, in representing a Covered Entity or business associate, the attorney requires access to PHI in order to do their work for their client. If an attorney is a business associate, then a written Business Associate Agreement with their client is required.


Why Should I Enter Into A Business Associate Agreement?

The Rule requires business associates to enter into a written Business Associate Agreement that implements reasonable and appropriate policies in order to comply with the Rule and any Breaches thereunder. Failure to implement a written Business Associate Agreement can result in substantial fines and penalties. Amongst other things, Attorneys who are business associates can be held directly liable under the Rule, just as a Covered Entity would, for Breaches and violations of the Rule.


What is Required Under a Business Associate Agreement?

In order to avoid or reduce the chance of incurring liability for a Breach or other violation of the Rule the acts listed above, it is important to have a detailed and effective Business Associate Agreement. The template for a Business Associate Agreement should begin by incorporating the following requirements set forth under the Rule:

1)  Establish the business associate’s permitted and required uses of PHI by setting forth how and when the business associate will use the PHI;

2)  Provide that the business associate will only disclose PHI other than is set forth in the Business Associate Agreement or is required by law;

3)  Implement appropriate safeguards to prevent the unauthorized use or disclosure of PHI;

4)  Implement the requirements of the HIPAA Security Rule regarding electronic PHI;

5)  Establish the situations and circumstances under which the business associate must disclose PHI to a requesting party;

6)  Require the business associate to comply with all applicable requirements to the extent that the business associate is carrying out an obligation under the Rule on behalf of the covered entity;

7)  Require the business associate’s internal practices, books and records in relation to the use and disclosure of PHI to be made available to the U.S. Department of Health & Human Services so that determinations regarding compliance with the Rule can be made;

8)  To the extent practicable, require the business associate to return or destroy all PHI at the termination of the Business Associate Agreement;

9)  Provide that any subcontractors, as defined by the Rule, business associate will engage with require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information; and

10)Provide for a termination of the Business Associate Agreement if the business associate violates a material term of the Agreement.


How will a Business Associate Agreement Reduce Attorney Liability?

While no Business Associate Agreement can eliminate an attorney’s liability under the Rule, it can greatly assist the attorney in limiting their liability to the extent possible.


First, while a Business Associate Agreement cannot change the statutory timeframes for providing notice or curing a Breach under the Rule, an attorney can give themselves as much leeway as possible with respect to how and when it must provide notice or cure a Breach by allowing themselves as much time as is permitted under the Rule.


Second, the Business Associate Agreement can provide greater clarity to the parties in detailing what a Breach is and when a Breach a occurs. This will help both parties reduce the probability of a Breach, recognize when a Breach occurs, and address either party’s failure to comply with the notice and cure provisions of the Rule.


Third, the Business Associate Agreement can provide essential guidance in handling a Breach by clearly stating each party’s responsibilities in the event of a Breach and the best and most efficient way to cure a Breach. Having definite and delegated plans of action for each party will provide security to each party in handling a Breach.


Finally, in addition to entering in to a Business Associate Agreement, it is also important to remember take a step back, evaluate your practice and determine the best way to become HIPAA and Rule compliant. This can be done by assessing your current level of compliance with HIPAA, projecting potential future compliance needs as your practice changes or grows and a developing plan of action to address any gaps you may discover or anticipate. 

Options for Addressing Title Encumbrances in Loan Transactions

By Jordan Uditsky January 4, 2022
An amendment to the Mechanics Lien Act (the "Act') permits the bonding over of mechanic's liens in the State of Illinois. The bill was signed into law ( 770 ILCS 60/38.1 ) on July 28, 2015, and went into effect on January 1, 2016. This statute is significant because it allows parties to "clear title" to real property that would otherwise be subject to a mechanic's lien. An eligible applicant will be permitted to substitute a bond for the real property subject to the underlying mechanic's lien so that the lien attaches to the bond instead of the real property. Who is Eligible? To take advantage of 770 ILCS 60/38.1 , the party desiring to bond over the lien must be an eligible applicant. The statute defines applicant relatively broadly to include the following parties: An owner; Other lien claimant; A party that has an interest in the property subject to the lien claim; An association representing owners organized under any statute or to which the Common Interest Community Association Act applies; or Any person who may be liable for the payment of the lien claim, including an owner, former owner, association representing owners organized under any statute or to which the Common Interest Community Association Act applies, or the contractor or subcontractor. Process for Filing a Petition To effectively substitute the bond for the real property, the applicant must file a petition with the clerk of the circuit court in the county where the property subject to the underlying lien claim is located. The petition must include the following: The name and address of the applicant and the applicant's attorney, if any; The name and address of the lien claimant; If there is a pending action to enforce the claim, the name of the attorney of record, or if there is no pending claim, but the claim has been recorded, the name of the preparer of the lien claim; The name and address of the owner of record of any real estate subject to the claim or the name and address of the homeowners association or the condominium association; A legal description of the property; A copy of the lien claim; A copy of the proposed eligible surety bond; A certified copy of the surety's certificate of authority from the Department of Insurance or the state agency charged with the duty to issue the certificate; and An undertaking by the applicant to replace the bond with another eligible surety bond in the event that the proposed eligible surety bond ceases to be an eligible bond. After filing a proper petition, the applicant must provide notice and a copy of the petition, either by personal service or certified mail, to every party whose name and address is stated in the petition and the lien party's attorney of record. Jordan Uditsky, an accomplished businessman and seasoned attorney, combines his experience as a legal counselor and successful entrepreneur to advise business owners in the Chicago area.

On the Move: Legal Issues Affecting Motor Vehicle Manufacturer and Dealer Law

By Lou Chronowski November 10, 2021
“Pandemic Impact? - New York Federal Court Allows Termination Dispute to Proceed” 

On the Move: The Future is Now!

By Lou Chronowski October 19, 2021
Welcome to GHU’s newest blog – On the Move: The Future is Now! This blog focuses on legal and policy issues facing the vehicle industry. The future is now for the vehicle industry. Some states (CA and MA) have issued mandates requiring that vehicle manufacturers stop selling new ICE (internal combustion engine) vehicles by 2035. Most legacy vehicle manufacturers have made various announcements stating that their respective product portfolios will move from ICE to zero emission vehicles (EVs) over the next 10-14 years. Another significant issue facing the issue relates to how vehicles are purchased. Over the past several years, Tesla has charted a distribution model that rejects traditional dealerships and uses direct sales and service. Other EV manufacturers like Rivian and Lucid appear to be headed in a similar direction. It is well known that Apple and Amazon have plans to enter the vehicle space as well. Consumers will have a large role in determining how they want to purchase vehicles and vehicle services (much the same as they did with respect to on-demand transportation with the likes of Uber and Lyft). The question is whether traditional manufacturers will be kept on an uneven playing field with these newer market entrants. Finally, autonomous vehicles (AVs) are right around the corner as well. In addition to consumer adoption and acceptance of EVs, it is still unknown how consumers will react to AVs and whether AVs have a large role in America. The future is now. The changes in the industry are happening now and happening at fast pace. This blog will continue to explore issues facing the vehicle industry. For 20 years, Lou Chronowski has represented motor vehicle manufacturers helping them navigate complex laws and regulations and litigating disputes against dealers. If you have any questions, please contact Lou at lchronowski@ghulaw.com .
Show More