Financial institutions may not first come to mind when thinking about federal medical privacy laws. But banks and other financial institutions that engage in services on behalf of certain health care entities can be directly subject to the provisions and penalties of the Health Insurance Portability and Accountability Act (“HIPAA”).
Enacted in 1996, HIPAA is a well-known and, at times, complex federal statute. Broadly speaking, HIPAA provides uniform requirements governing the use and disclosure of individually identifiable health information, also called “protected health information.” HIPAA is composed of a privacy component that regulates the means protected health information can be used, as well as a security component requiring the implementation of administrative, physical and technical requirements for electronic protected health information.
From the time HIPAA was enacted in 1996 until 2009, HIPAA only directly applied to “covered entities,” defined in federal law as health care providers, health plans and health care clearinghouses. The “business associates” of covered entities – businesses such as financial institutions that perform services on behalf of covered entities – were subject to HIPAA only through contracts with covered entities. These contracts, called business associate agreements, set forth requirements for the business associate’s use and dissemination of protected health information. The “Health Information Technology for Economic and Clinical Health Act” or the “HITECH Act,” was enacted as a part of the federal stimulus bill known as the American Recovery and Reinvestment Act of 2009 (“ARRA”). The 2009 HITECH Act expands and clarifies HIPAA privacy and security regulations, including some key changes related to business associates of covered entities.
It is important to understand which entities constitute business associates pursuant to federal law. A business associate is defined as an entity performing a service on behalf of a covered entity. Some examples of business associate services set forth in the federal regulations are claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; and billing. A bank or financial institution performing collection services, or any other type of services for a covered entity involving the transmission of protected health information, is a business associate and must comply with certain HIPAA requirements.
HIPAA requires that business associates enter into business associate agreements with covered entities that set forth the terms and conditions of the business associate’s use and maintenance of protected health information. These contracts require that a business associate use protected health information only for the purposes for which it was engaged, safeguard confidential information and assist the covered entity in complying with its own obligations under HIPAA. A business associate agreement must contain the elements specified at 45 CFR 164.504(e). For example, among other requirements, the contract must describe the permitted uses of protected health information, provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or by law, and require the business associate to use appropriate safeguards to prevent an unauthorized use or disclosure of the protected health information.
Under the HITECH Act, business associates are responsible for ensuring that business associate agreements meet HIPAA requirements. Pursuant to the HITECH ACT, business associates are now directly regulated by federal law. Thus, business associates are statutorily obligated to comply with certain HIPAA provisions. For example, business associates must establish administrative, physical and technical safeguards to prevent, detect and correct security breaches. Business associates are also now required by law to adhere to the terms of their business associate agreements. In practical terms, before the HITECH Act, failure to follow a business associate agreement constituted a contractual breach. Now, the failure to adhere to contractual terms may also constitute a violation of federal law.
The HITECH Act also expands the civil and criminal penalties facing both covered entities and business associates who violate HIPAA. The HITECH Act sets criminal penalties for individuals, including business associates, who without authorization obtain or disclose individually identifiable health information. The Act also includes monetary civil penalties for business associate privacy or security violations, ranging from $100 to $50,000 per violation, depending upon the knowledge and intent of the violator.
The federal government’s U.S. Department of Health & Human Services, Office for Civil Rights, maintains a comprehensive website describing HIPAA requirements for covered entities and business associates. Based upon the new HITECH Act requirements and the additional potential penalties facing business associates, it is advisable to have business associate contracts, as well as a business associate’s privacy and security policies, reviewed and updated for compliance.