Business Associates

Since the implementation of the HITECH Act, the HIPAA Privacy, Security and Breach Notification Rules apply not only to covered entities, but also to business associates.  While entities or individuals who meet the definition of business associates were previously only contractually liable for HIPAA violations, they now have direct liability and can be penalized for noncompliance with the HIPAA regulations.

Covered entities are required to enter into a business associate agreement with all persons or entities that meet the definition of a business associate as set forth in the HIPAA regulations.  While there are certain required elements that each business associate agreement must contain, the terms of these agreements often become a point of contention between covered entities and their business associates.

Our attorneys have extensive experience working with both health care providers and business associates in connection with:

  • Making determinations as to which entities and individuals meet the definition of “business associate” pursuant to the HIPAA regulations, as revised by the HITECH Act
  • Drafting and negotiating business associate agreement terms that comply with the HIPAA regulations
  • Assisting business associates to understand which provisions of the HIPAA regulations apply to them directly and how to develop policies and procedures to comply with the HIPAA regulations
  • Assisting business associates with risk assessments as required by the HIPAA security rule
  • Providing guidance on what protected health information can be shared and with whom
  • Advising business associates on potential breach situations and next steps to take in compliance with the breach notification rule, including assisting with risk assessments to determine whether an impermissible use or disclosure rises to the level of a “Breach” as defined by the breach notification rule
  • Assisting business associates with developing employee training programs