The “administrative simplification” requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) impose privacy and security standards, among others, on “covered entities” (i.e., health plans, most health-care providers, and health-care clearinghouses). These rules are generally burdensome and complex, and, as a result, covered entities often look to outside vendors/service providers to assist in them in their day-to-day operations. Recognizing this to be the case, the final HIPAA privacy and security regulations require covered entities to enter into contracts with their vendors and service providers (or “business associates” in the parlance of the HIPAA final privacy and security rules) obligating them to safeguard “Protected Health Information” (PHI) (in the case of the privacy rule) and “electronic Protected Health Information” (ePHI) (in the case of the security rule). The precise nature of the obligations imposed on business associates under the privacy and security rules was left vague, however, and many business associates were content to simply sign a business associate agreement and do little more.
The American Recovery and Reinvestment Act of 2009 (the “Act”) contains a series of provisions aimed at strengthening and extending the basic HIPAA privacy and security protections. Among other things, the Act tightens the rules relating to the minimum necessary disclosures of PHI, imposes additional notice requirements in the case of security breaches, and grants new enforcement powers to the states. Additionally, it extends certain, key substantive privacy and security provisions to business associates.
Please see full alert for more information.
Please see full publication below for more information.