Stimulus package alters HIPAA rules for business associates

A column examining the ins and outs of contract issues

By Steven M. Harrisis a partner at McDonald Hopkins in Chicago concentrating on health care law and co-author of Medical Practice Divorce. He writes the "Contract Language" column. Posted May 4, 2009.

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

The American Recovery and Reinvestment Act, better known as the stimulus bill, is notable for the $19 billion it offers for incentives to adopt and use health information technology. But it also expands the reach of the Health Insurance Portability and Accountability Act.

Specifically, the stimulus bill expands the reach of privacy and security rules implemented under HIPAA to cover business associates and covered entities.

It's been six years since you were first required to understand those terms for following HIPAA. But in case you need a refresher, a covered entity is a health plan, health care clearinghouse (billing services, community health information system and the like), or a hospital or physician who transmits health information in electronic form.

A business associate is someone who, on behalf of a covered entity, performs an activity involving the use of disclosure of individuals' health care information. That includes the performance of legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity.

These expansions under the stimulus bill are different from the Federal Trade Commission's red flag rules that impose certain duties on financial institutions and creditors with the goal of curtailing identity theft.

Unlike those rules, which the AMA and others fought because they expanded the definition of a creditor to physicians, these HIPAA expansions were explicitly directed to physicians in the legislation.

So what is new?

Under the stimulus bill, several HIPAA security provisions now apply to business associates in the same manner that those provisions apply to covered entities. That means business associates of covered entities will now have an affirmative duty to protect the confidentiality of electronic protected health information created, received, maintained or transmitted in performing services for or on behalf of covered entities.

So your business associates will need to implement written policies to, among other things, prevent, detect, contain and correct security violations of electronic information, and develop safeguards to limit access.

While HIPAA already requires business associates and covered entities to enter into a written contract, be sure that you are not relying on an old agreement that does not take into account this new law.

Also under the stimulus bill, if in the course of their relations a covered entity will be disclosing protected health information to a business associate and/or allowing the business associate to create or receive such information on its behalf, the business associate may use and disclose the information only if such use or disclosure complies with the written contract requirements under the privacy provisions of HIPAA.

Additionally, business associates now have an affirmative duty, and this duty must be stated in the written contract. Under the new law, if a business associate is aware of a pattern of activity or practice of the covered entity that constitutes a material breach of the covered entity's obligations under the contract, the business associate must take reasonable steps to cure the breach.

However, if the business associate takes reasonable steps and such steps are unsuccessful, he or she must either terminate the contract with the covered entity (if feasible) or report the problem to the secretary of Health and Human Services.

If you find this confusing, you are in the vast majority. Legislators recognize this and require the HHS secretary to issue annual guidance on complying with the new law.

Steven M. Harris is a partner at McDonald Hopkins in Chicago concentrating on health care law and co-author of Medical Practice Divorce. He writes the "Contract Language" column.

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn