HIPAA applies to both covered entities (e.g., healthcare providers and health plans) and their business associates. A “business associate” is generally a person or entity that “creates, receives, maintains or transmits”...more
10/25/2023
/ Business Associates ,
Business Associates Agreement (BAA) ,
Covered Entities ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Security Rule ,
OCR ,
Patient Confidentiality Breaches ,
PHI ,
Security Risk Assessments ,
Software ,
Subcontractors
The HIPAA Privacy and Security Rules generally require covered entities (including most healthcare providers) to execute written agreements (“business associate agreements” or “BAAs”) with their business associates before...more
10/20/2023
/ Business Associates ,
Business Associates Agreement (BAA) ,
Civil Monetary Penalty ,
Covered Entities ,
Data Breach ,
Disclosure Requirements ,
Electronic Protected Health Information (ePHI) ,
Federal Trade Commission (FTC) ,
Health Care Providers ,
HIPAA Privacy Rule ,
HIPAA Security Rule ,
HIPAA Violations ,
OCR ,
Penalties ,
PHI ,
Settlement ,
Subcontractors ,
Termination ,
Written Agreements
The HIPAA privacy and security rules impose significant requirements on covered entities and their business associates; violations may result in penalties ranging from $119 to $59,522 per violation. (45 CFR § 160.404; 45 CFR...more
In an era of decreasing reimbursement and rapidly expanding opportunities associated with “big data”, healthcare entities may be looking for ways to monetize protected health information (“PHI”) for their own, non-patient...more
2/20/2020
/ Business Associates ,
Business Associates Agreement (BAA) ,
Consent ,
Consumer Privacy Rights ,
Covered Entities ,
Data Collection ,
Data Privacy ,
Data Sellers ,
Data Use Policies ,
De-Identified Protected Health Information ,
Department of Health and Human Services (HHS) ,
Disclosure Requirements ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
Information Sharing ,
Medical Records ,
Notice Requirements ,
OCR ,
PHI ,
Privacy Policy
Thanks to a federal judge, the Office for Civil Rights has modified its rules for sending records to third parties. Covered entities are no longer required by HIPAA to send non-electronic protected health information (“PHI”)...more
2/10/2020
/ Business Associates ,
Covered Entities ,
Data Protection ,
Data Transfers ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Omnibus Rule ,
HITECH Act ,
Medical Records ,
OCR ,
Patient Privacy Rights ,
PHI ,
Records Request ,
Right of Access
This week, the Office for Civil Rights (“OCR”) announced a $3,000,000 HIPAA settlement arising from a medical center’s loss of an unencrypted laptop and flash drive. This is simply the latest of many HIPAA settlements based...more
11/8/2019
/ Business Associates ,
Covered Entities ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
Encryption ,
Enforcement Actions ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Breach Notification Rule ,
HIPAA Security Rule ,
HITECH Act ,
Laptop Computers ,
Mobile Devices ,
OCR ,
Penalties ,
Settlement
Healthcare providers sometimes mistakenly assume that they cannot contact a patient’s spouse, parents, or other third parties to obtain payment without the patient’s consent. However, HIPAA generally allows healthcare...more
Business associates may want to use a covered entity’s protected health information (“PHI”) for the business associates’ own purposes, e.g., for their own product development, data aggregation, marketing, etc. However, with...more
9/6/2019
/ Business Associates ,
Covered Entities ,
Cybersecurity ,
Data Protection ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
OCR ,
PHI
The HITECH Act extended certain HIPAA obligations to business associates, including those entities that create, receive, maintain or transmit protected health information (“PHI”) on behalf of covered entities. Business...more
HIPAA penalties vary depending on the type of conduct involved. (45 CFR § 160.404). Under HHS’s prior interpretation, the types of violations were all subject to an annual maximum penalty of $1,500,000 for identical types of...more
Failing to have HIPAA business associate agreements (“BAAs”) can result in significant penalties for healthcare providers and business associates. Last month, the OCR imposed a $500,000 settlement and robust corrective action...more
Healthcare providers, health plans and healthcare clearinghouses (“covered entities”) and business associates are subject to significant penalties for violations of the HIPAA Privacy, Security and Breach Notification Rules....more
3/12/2018
/ Breach Notification Rule ,
Breach of Contract ,
Business Associates ,
Civil Monetary Penalty ,
Corporate Misconduct ,
Covered Entities ,
Cybersecurity ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Omnibus Rule ,
Patient Privacy Rights ,
Physicians ,
Professional Liability ,
Subcontractors